├── .gitignore ├── LICENSE ├── README.md ├── coverage.py ├── data ├── CarbonBlack.1.APT3.1_Results.json ├── CrowdStrike.1.APT3.1_Results.json ├── Cybereason.1.APT3.1_Results.json ├── Endgame.1.APT3.1_Results.json ├── F-Secure.1.APT3.1_Results.json ├── FireEye.1.APT3.1_Results.json ├── GoSecure.1.APT3.1_Results.json ├── McAfee.1.APT3.1_Results.json ├── Microsoft.1.APT3.1_Results.json ├── PaloAltoNetworks.1.APT3.1_Results.json ├── RSA.1.APT3.1_Results.json └── SentinelOne.1.APT3.1_Results.json ├── detection_types.txt ├── kill_chain_analysis.py ├── query_attack.py ├── simple_score.py └── total_misses.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | MANIFEST 27 | 28 | # PyInstaller 29 | # Usually these files are written by a python script from a template 30 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 31 | *.manifest 32 | *.spec 33 | 34 | # Installer logs 35 | pip-log.txt 36 | pip-delete-this-directory.txt 37 | 38 | # Unit test / coverage reports 39 | htmlcov/ 40 | .tox/ 41 | .coverage 42 | .coverage.* 43 | .cache 44 | nosetests.xml 45 | coverage.xml 46 | *.cover 47 | .hypothesis/ 48 | .pytest_cache/ 49 | 50 | # Translations 51 | *.mo 52 | *.pot 53 | 54 | # Django stuff: 55 | *.log 56 | local_settings.py 57 | db.sqlite3 58 | 59 | # Flask stuff: 60 | instance/ 61 | .webassets-cache 62 | 63 | # Scrapy stuff: 64 | .scrapy 65 | 66 | # Sphinx documentation 67 | docs/_build/ 68 | 69 | # PyBuilder 70 | target/ 71 | 72 | # Jupyter Notebook 73 | .ipynb_checkpoints 74 | 75 | # pyenv 76 | .python-version 77 | 78 | # celery beat schedule file 79 | celerybeat-schedule 80 | 81 | # SageMath parsed files 82 | *.sage.py 83 | 84 | # Environments 85 | .env 86 | .venv 87 | env/ 88 | venv/ 89 | ENV/ 90 | env.bak/ 91 | venv.bak/ 92 | 93 | # Spyder project settings 94 | .spyderproject 95 | .spyproject 96 | 97 | # Rope project settings 98 | .ropeproject 99 | 100 | # mkdocs documentation 101 | /site 102 | 103 | # mypy 104 | .mypy_cache/ 105 | query_scores.py 106 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # attack-eval-scoring 2 | 3 | This project represented my attempts at analyzing the results of round 1 of the MITRE Enterprise ATT&CK Evaluation. With the release of round 2 results, please check out my new project: 4 | https://github.com/joshzelonis/EnterpriseAPT29Eval 5 | 6 | For my initial blog post on the subject, check out: 7 | https://go.forrester.com/blogs/measuring-vendor-efficacy-using-the-mitre-attck-evaluation/ 8 | 9 | ## simple_score.py 10 | In parsing the results, I found 56 ATT&CK techniques were measured with 136 procedures for doing so. This is a quick script for applying the scale on a procedure (or per step) basis. There were many instances where there were multiple detections for a single procedure/step which would skew any counting method that did not take this into effect. 11 | 12 | ## coverage.py 13 | This script generates two key metrics for understanding vendor performance. The first of which is a coverage score which gives insight into the percentage of ATT&CK techniques the solution was able to generate any type of detection against. This can be viewed as a high water mark for how the product could be used to generate detections. The second metric is a correlation metric which is the percentage of detections that had a tainted modifier. This is useful for understanding how the product reduces work for SOC analysts. 14 | 15 | ## kill_chain_analysis.py 16 | There were 10 different stages of attack measured from initial compromise to execution of persistence across two scenarios. One may argue that the most critical capability is being able to alert on an aversary at each stage of an intrusion. This script analyzes and breaks out how each vendor performed at each stage of these scenarios on the same 1-3-5 scale used by simple_score.py 17 | 18 | ## total_misses.py 19 | Based on the Endgame Blog (https://www.endgame.com/blog/executive-blog/heres-why-we-cant-have-nice-things), we see that there's a number of situations where a product does have functionality that an investigator could use to surface some information about an event that the methodology did not recognize. It's not immediately obvious how to generate the numbers that correspond to the blog so I'm using the Endgame numbers here with a code comment so you can see how, with minor modification, you can obtain the scores that more strictly correspond to MITRE's evaluation. 20 | 21 | ## query_attack.py 22 | In analyzing vendor performance, I frequently wanted to do quick lookups against techniques or procedures to see how the vendors performed in a side by side basis such as `$ python query_attack.py -p 2.A.1` or `$ python query_attack.py -t T1016`. Also, I found myself wanting to do string searches against other fields in the evaluation reports, so I've enabled case insensitive string searching using regex against many of the fields in the reports. Want to know which procedures leveraged the ipconfig command? `$ python query_attack.py -s ipconfig` Want to know which delayed detections Microsoft had? `$ python query_attack.py -s delayed microsoft` Want to know which detections OverWatch sent an email for? `$ python query_attack.py -s "overwatch .* email"` If you really want to go nuts you can use all of these flags together to specifically see the tainted detection CounterTack had on technique T1055 in step 5.A.2 with `$ python query_attack.py -s tainted -p 5.A.2 -t T1055 countertack`. You get the idea. 23 | -------------------------------------------------------------------------------- /coverage.py: -------------------------------------------------------------------------------- 1 | import json 2 | import glob 3 | import os 4 | import re 5 | 6 | # I didn't clean the data because I didn't want to modify anything, 7 | # irregularities in data source lead to some duplication here. 8 | scoring = { 'Specific Behavior':5, \ 9 | 'Specific Behavior, Tainted':5, \ 10 | 'Specific Behavior,Tainted':5, \ 11 | 'General Behavior':5, \ 12 | 'General Behavior, Tainted':5, \ 13 | 'Specific Behavior, Delayed':3, \ 14 | 'Specific Behavior,Delayed':3, \ 15 | 'General Behavior, Delayed':3, \ 16 | 'General Behavior,Delayed':3, \ 17 | 'General Behavior,Delayed,Tainted':3, \ 18 | 'Enrichment':3, \ 19 | 'Enrichment, Tainted':3, \ 20 | 'Enrichment,Tainted':3, \ 21 | 'Enrichment, Delayed':1, \ 22 | 'Enrichment, Delayed, Tainted':1, \ 23 | 'Enrichment,Delayed, Tainted':1, \ 24 | 'Enrichment,Delayed,Tainted':1, \ 25 | 'Enrichment, Tainted, Delayed':1, \ 26 | 'Enrichment,Tainted, Delayed':1, \ 27 | 'Telemetry':1, \ 28 | 'Telemetry, Tainted':1, \ 29 | 'Telemetry,Tainted':1, \ 30 | 'Telemetry, Delayed':1, \ 31 | 'Specific Behavior,Configuration Change':0, \ 32 | 'General Behavior,Configuration Change':0, \ 33 | 'General Behavior, Configuration Change, Delayed, Tainted':0, \ 34 | 'General Behavior,Configuration Change, Delayed, Tainted':0, \ 35 | 'Enrichment, Configuration Change':0, \ 36 | 'Enrichment,Configuration Change':0, \ 37 | 'Enrichment, Tainted,Configuration Change':0, \ 38 | 'Enrichment, Tainted, Configuration Change':0, \ 39 | 'Enrichment,Tainted,Configuration Change':0, \ 40 | 'Indicator of Compromise,Configuration Change':0, \ 41 | 'Telemetry,Configuration Change':0, \ 42 | 'General Behavior, Configuration Change':0, \ 43 | 'Telemetry, Configuration Change':0, \ 44 | 'Indicator of Compromise':0, \ 45 | 'Indicator of Compromise, Delayed':0, \ 46 | 'None':0 } 47 | 48 | def generate_score(data): 49 | totalscore = {0:0, 1:0, 3:0, 5:0, 'tainted':0} 50 | for technique_id, technique in data.items(): 51 | if technique_id == 'PublicRelease': 52 | continue 53 | for step in technique['Steps'].values(): 54 | if not len(step["Procedure"]): 55 | continue 56 | stepscore = 0 57 | taint = 0 58 | for detection in step['DetectionCategories']: 59 | for k,v in detection.items(): 60 | if taint == 0 and scoring[k.strip()] > 0 and re.search('tainted', k.strip(), re.IGNORECASE): 61 | taint = 1 62 | if len(k.strip()) and stepscore < scoring[k.strip()]: 63 | stepscore = scoring[k.strip()] 64 | totalscore[stepscore] += 1 65 | totalscore['tainted'] += taint 66 | return totalscore 67 | 68 | 69 | path = './data/' 70 | for infile in glob.glob(os.path.join(path, '*json')): 71 | with open(infile) as json_data: 72 | data = json.load(json_data) 73 | score = generate_score(data) 74 | print(infile) 75 | print(f' Coverage {int(((136-score[0])/136)*100)}%\n Real-Time Alert: {score[5]}\n Delayed/Enrichment: {score[3]}\n Telemetry: {score[1]}\n None: {score[0]}\n') 76 | print(f' Correlation {int((score["tainted"]/(136-score[0]))*100)}%\n Tainted: {score["tainted"]}\n Untainted: {136-score[0]-score["tainted"]}\n\n') 77 | 78 | 79 | -------------------------------------------------------------------------------- /data/CarbonBlack.1.APT3.1_Results.json: -------------------------------------------------------------------------------- 1 | {"T1204": {"TechniqueName": "User Execution", "TacticGroup": "Execution", "PrimaryEnabling": "Primary", "Steps": {"1.A.1": {"Procedure": "Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed Resume Viewer.exe running along with its children."}, {" General Behavior": "A General Behavior alert was generated indicating that the user Debbie executed Resume Viewer.exe. This alert had a severity score of 51/100 and was based upon \\\"Newly Executed Applications\\\"."}], "Screenshots": {"CB-1.A.1-2.png": "Telemetry from process tree showing Resume Viewer.exe execution sequence", "CB-1.A.1-1.png": "General Behavior alert showing execution of Resume Viewer.exe as a Newly Executed Application", "": ""}}}}, "T1064": {"TechniqueName": "Scripting", "TacticGroup": "Defense Evasion, Execution", "PrimaryEnabling": "Primary", "Steps": {"1.A.1": {"Procedure": "Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing the pdfhelper.cmd script."}, {" Enrichment": "The capability enriched the cmd.exe execution with the correct ATT&CK Technique (T1064 - Scripting)."}], "Screenshots": {"CB-1.A.1-3.png": "Telemetry from process tree showing cmd.exe running the pdfhelper.cmd script", "CB-1.A.1-1.png": "Enrichment of cmd.exe executing pdfhelper.cmd with correct ATT&CK Technique (T1064 - Scripting)", "": ""}}, "11.A.1": {"Procedure": "Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)", "DetectionCategories": [{"Enrichment ": "The capability enriched wscript.exe and powershell.exe with the correct ATT&CK Techniques (T1063 - Scripting, T1086 - Powershell)."}, {" Telemetry ": "Telemetry of a process tree showed powershell.exe execution, including full command-line arguments."}, {" Specific Behavior": " A Specific Behavior Alert was generated indicating that powershell.exe was a suspicious child process of wscript.exe."}, {" Specific Behavior": " A Specific Behavior alert was generated indicating that powershell.exe was executed with encoded command-line arguments.\u00a0"}], "Screenshots": {"CB-11.A.1-1.png": "Enrichment of wscript.exe and powershell.exe with correct ATT&CK Techniques (T1063 - Scripting, T1086 - Powershell)", "CB-11.A.1-2.png": "Telemetry showing process tree of script execution", "CB-11.A.1-3.png": "Specific Behavior alerts for Powershell scripting", "": ""}}, "12.E.1": {"Procedure": "Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques", "DetectionCategories": [{"Telemetry": "Telemetry showed process execution of powershell.exe. The powershell.exe process loaded several non-default dynamically loaded libraries that may indicate the functionality may be used by the PowerShell script."}], "Screenshots": {"CB-12.E.1-1.png": "Telemetry showing powershell.exe execution", "CB-12.E.1-2.png": "Telemetry showing dynamically loaded libraries (modloads) that may indicate PowerShell functionality", "": ""}}}}, "T1085": {"TechniqueName": "Rundll32", "TacticGroup": "Defense Evasion, Execution", "PrimaryEnabling": "Primary", "Steps": {"1.A.1": {"Procedure": "Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed the Resume Viewer.exe execution sequence and rundll32.exe executing."}, {" Enrichment": " The capability enriched the rundll32.exe execution with the correct ATT&CK Technique (T1085, which corresponds to the Rundll32 Technique)."}], "Screenshots": {"CB-1.A.1-2.png": "Telemetry from process tree showing Resume Viewer.exe execution sequence with rundll32.exe", "CB-1.A.1-1.png": "Enrichment of rundll32.exe execution with correct ATT&CK Technique (T1085, corresponding to Rundll32)", "": ""}}}}, "T1060": {"TechniqueName": "Registry Run Keys / Startup Folder", "TacticGroup": "Persistence", "PrimaryEnabling": "Primary", "Steps": {"1.B.1": {"Procedure": "Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder", "DetectionCategories": [{"Telemetry ": "Telemetry showed filemods indicating the creation and file write of autoupdate.bat to the Startup folder."}, {" Enrichment": " The capability enriched cmd.exe with the correct ATT&CK Technique (T1060 - Registry Run Keys/Start Folder)."}], "Screenshots": {"CB-1.B.1-1.png": "Telemetry showing filemods indicating update.bat was written to the Startup folder", "CB-1.B.1-2.png": "Enrichment of cmd.exe with correct ATT&CK Technique (T1060 - Registry Run Keys/Start Folder)", "": ""}}, "10.A.1": {"Procedure": "Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32", "DetectionCategories": [{"Telemetry": "Telemetry within the process tree showed cmd.exe executing autoupdate.bat from the Startup folder."}], "Screenshots": {"CB-10.A.1-1.png": "Telemetry from process tree showing cmd.exe executing autoupdate.bat from Startup folder", "": ""}}}}, "T1043": {"TechniqueName": "Commonly Used Port", "TacticGroup": "Command and Control", "PrimaryEnabling": "Primary", "Steps": {"1.C.1": {"Procedure": "Cobalt Strike: C2 channel established using port 53", "DetectionCategories": [{"Telemetry ": "Telemetry showed a network connection over UDP port 53."}], "Screenshots": {"CB-6.B.1-3.png": "Telemetry showing network connection over UDP port 53", "": ""}}, "6.B.1": {"Procedure": "Cobalt Strike: C2 channel modified to use port 80", "DetectionCategories": [{"Telemetry ": "Telemetry showed network connections over TCP port 80 to 192.168.0.4 (C2 server)."}, {" Enrichment": " The capability enriched the network connections from rundll32.exe with the correct ATT&CK Technique (T1043 - Commonly Used Port)."}], "Screenshots": {"CB-6.B.1-2.png": "Telemetry showing network connection over port 80 to 192.168.0.4 (C2 server)", "CB-6.B.1-4.png": "Enrichment of rundll32.exe TCP port 80 network connections with correct ATT&CK Technique (T1043 - Commonly Used Port)", "": ""}}, "11.B.1": {"Procedure": "Empire: C2 channel established using port 443", "DetectionCategories": [{"Enrichment ": "The capability enriched backgroundtaskhost.exe and powershell.exe with the correct ATT&CK Technique (T1043 - Commonly Used Port)."}, {" Telemetry": "Telemetry showed network connections, including over TCP port 443 to www.freegoogleadsenseinfo.com (C2 domain)."}], "Screenshots": {"CB-11.A.1-1.png": "Enrichment of backgroundtaskhost.exe and powershell.exe with correct ATT&CK Technique (T1043 - Commonly Used Port)", "CB-11.B.1-1.png": "Telemetry showing network connections, including over TCP port 443", "": ""}}, "14.A.1": {"Procedure": "Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080", "DetectionCategories": [{"Telemetry": "Telemetry showed network connection to 192.168.0.5 (C2 server) over TCP port 8080."}], "Screenshots": {"CB-14.A.1-3.png": "Telemetry showing network connection to 192.168.0.5 (C2 server) over TCP port 8080", "": ""}}}}, "T1071": {"TechniqueName": "Standard Application Layer Protocol", "TacticGroup": "Command and Control", "PrimaryEnabling": "Primary", "Steps": {"1.C.1": {"Procedure": "Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "6.B.1": {"Procedure": "Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com", "DetectionCategories": [{"Telemetry": "Telemetry showed network connections over TCP port 80 as well as a modload showing winhttp.dll was loaded, which an analyst could use to determine HTTP was used."}], "Screenshots": {"CB-6.B.1-8.png": "Telemetry showing modloads showing winhttp.dll loaded", "CB-6.B.1-2.png": "Telemetry showing network connection over TCP port 80 to the C2 domain (could be used in conjunction with modload to determine protocol)", "": ""}}, "11.B.1": {"Procedure": "Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com", "DetectionCategories": [{"Telemetry": "Telemetry showed modload events importing dynamic libraries usually used for HTTP and SSL communication (e.g. winhttp.dll), followed by a CRL check to a CA, indicating that HTTPS was likely used."}], "Screenshots": {"CB-11.B.1-2.png": "Telemetry showing modloads and certificate check", "": ""}}, "14.A.1": {"Procedure": "Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1132": {"TechniqueName": "Data Encoding", "TacticGroup": "Command and Control", "PrimaryEnabling": "Primary", "Steps": {"1.C.1": {"Procedure": "Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1059": {"TechniqueName": "Command-Line Interface", "TacticGroup": "Execution", "PrimaryEnabling": "Enabling", "Steps": {"2.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.A.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.C.2 ": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.D.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.D.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.E.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.E.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.F.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.F.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.F.3": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.G.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.G.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.H.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "4.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "4.A.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "4.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "4.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "6.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "7.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "8.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "8.A.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.F.1": {"Procedure": "Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick\u00a0", "DetectionCategories": [{"Telemetry ": "Telemetry showed a process tree with cmd.exe execution and associated user context change."}, {" Enrichment ": "The capability enriched cmd.exe event data with the correct ATT&CK Technique (T1059 - Command-Line Interface)."}], "Screenshots": {"CB-16.F.1-1.png": "Telemetry showing process tree with cmd.exe and initial powershell.exe running as user Bob", "CB-16.F.1-2.png": "Telemetry showing process tree with cmd.exe and final powershell.exe running as user Kmitnick", "CB-16.F.1-3.png": "Enrichment of cmd.exe event with correct ATT&CK Technique (T1059 - Command-Line Interface)", "": ""}}}}, "T1016": {"TechniqueName": "System Network Configuration Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.A.1": {"Procedure": "Cobalt Strike: 'ipconfig /all' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing ipconfig.exe with command-line arguments."}, {" Enrichment": "The capability enriched ipconfig.exe with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery)."}], "Screenshots": {"CB-2.A.1-1.png": "Telemetry from process tree showing ipconfig.exe with command-line arguments", "CB-2.A.1-2.png": "Enrichment of ipconfig.exe with correct ATT&CK Technique (T1016 - System Network Configuration Discovery)", "": ""}}, "2.A.2": {"Procedure": "Cobalt Strike: 'arp -a' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing arp.exe with command-line arguments."}, {" Enrichment": "The capability enriched arp.exe with a related ATT&CK Technique (T1018 - Remote System Discovery)."}], "Screenshots": {"CB-2.A.2-1.png": "Telemetry from process tree showing arp.exe with command-line arguments", "CB-2.A.2-2.png": "Enrichment of arp.exe with related ATT&CK Technique (T1018 - Remote System Discovery)", "": ""}}, "4.B.1": {"Procedure": "Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing netsh.exe with command-line arguments."}, {" Enrichment": "The capability enriched netsh.exe with a related ATT&CK technique (T1063 - Security Software Discovery) and a tag for Potential Windows Firewall Rule Recon."}], "Screenshots": {"CB-4.B.1-1.png": "Telemetry from process tree showing netsh.exe with command-line arguments", "CB-4.B.1-2.png": "Enrichment of netsh.exe with related ATT&CK technique (T1063 - Security Software Discovery) and tag for Potential Windows Firewall Rule Recon", "": ""}}, "12.A.1": {"Procedure": "Empire: 'route print' via PowerShell", "DetectionCategories": [{"Telemetry": "Telemetry within the process tree showed powershell.exe executing route.exe with command-line arguments."}], "Screenshots": {"CB-12.A.1-2.png": "Telemetry from process tree showing route.exe with command-line arguments", "": ""}}, "12.A.2": {"Procedure": "Empire: 'ipconfig /all' via PowerShell", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed powershell.exe executing ipconfig.exe with command-line arguments."}, {" Enrichment": " The capability enriched ipconfig.exe with the correct ATT&CK Technique (T1049 - System Network Configuration Discovery)."}], "Screenshots": {"CB-12.A.2-1.png": "Telemetry from process tree showing ipconfig.exe with command-line arguments", "CB-12.A.1-1.png": "Enrichment of ipconfig.exe with correct ATT&CK Technique (T1049 - System Network Configuration Discovery)", "": ""}}, "12.E.1.11": {"Procedure": "Empire: WinEnum module included enumeration of network adapters", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1033": {"TechniqueName": "System Owner/User Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.B.1": {"Procedure": "Cobalt Strike: 'echo' via cmd to enumerate specific environment variables", "DetectionCategories": [{"Telemetry": "Telemetry within the process tree showed cmd.exe executing echo with command-line arguments."}], "Screenshots": {"CB-2.B.1-1.png": "Telemetry from process tree showing echo with command-line arguments", "": ""}}, "12.B.1": {"Procedure": "Empire: 'whoami /all /fo list' via PowerShell", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed powershell.exe executing whoami.exe with command-line arguments."}, {" Enrichment": " The capability enriched whoami.exe with the correct ATT&CK Technique (T1033 - System Owner/User Discovery)."}], "Screenshots": {"CB-12.B.1-1.png": "Telemetry from process tree showing whoami.exe with command-line arguments", "CB-12.B.1-2.png": "Enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery)", "": ""}}, "12.E.1.1": {"Procedure": "Empire: WinEnum module included enumeration of user information", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "20.B.1": {"Procedure": "Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed magnify.exe executing whoami.exe. "}, {" Enrichment": " The capability enriched whoami.exe with the correct ATT&CK Technique (T1033 - System Owner/User Discovery).\u00a0"}], "Screenshots": {"CB-20.B.1-1.png": "Telemetry from process tree with telemetry showing whoami.exe execution", "CB-20.B.1-2.png": "Enrichment of whoami.exe\u00a0with correct ATT&CK Technique (T1033 - System Owner/User Discovery)", "": ""}}}}, "T1106": {"TechniqueName": "Execution through API", "TacticGroup": "Execution", "PrimaryEnabling": "Enabling", "Steps": {"2.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "3.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "8.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "8.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "8.D.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "9.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "9.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.E.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}}}, "T1057": {"TechniqueName": "Process Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.C.1": {"Procedure": "Cobalt Strike: 'ps' (Process status) via Win32 APIs", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "2.C.2 ": {"Procedure": "Cobalt Strike: 'tasklist /v' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing tasklist.exe with command-line arguments."}, {" Enrichment": "The capability enriched tasklist.exe with the correct ATT&CK Technique (T1057 - Process Discovery)."}], "Screenshots": {"CB-2.C.2-1.png": "Telemetry from process tree showing tasklist.exe with command-line arguments", "CB-2.C.2-2.png": "Enrichment of tasklist.exe with correct ATT&CK Technique (T1057 - Process Discovery)", "": ""}}, "3.B.1": {"Procedure": "Cobalt Strike: 'ps' (Process status) via Win32 APIs", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "8.B.1": {"Procedure": "Cobalt Strike: 'ps' (Process status) via Win32 APIs", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.C.1": {"Procedure": "Empire: 'qprocess *' via PowerShell", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed powershell.exe executing qprocess.exe with command-line arguments."}, {" Enrichment": " The capability enriched qprocess.exe with the correct ATT&CK Technique (Process Discovery)."}], "Screenshots": {"CB-12.C.1-1.png": "Telemetry from process tree showing qprocess.exe with command-line arguments", "CB-12.C.1-2.png": "Enrichment of qprocess.exe with correct ATT&CK Technique (Process Discovery)", "": ""}}}}, "T1007": {"TechniqueName": "System Service Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.D.1": {"Procedure": "Cobalt Strike: 'sc query' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing sc.exe with command-line arguments."}, {" Enrichment": "The capability enriched sc.exe with the correct ATT&CK Technique (System Service Discovery)."}], "Screenshots": {"CB-2.A-ALL.png": "Telemetry from process tree showing sc.exe with command-line arguments", "CB-2.D.1-1.png": "Enrichment of sc.exe with correct ATT&CK Technique (System Service Discovery)", "": ""}}, "2.D.2": {"Procedure": "Cobalt Strike: 'net start' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments."}, {" Enrichment": "The capability enriched net.exe with the correct ATT&CK Technique (System Service Discovery)."}], "Screenshots": {"CB-2.D.2-1.png": "Telemetry from process tree showing net.exe with command-line arguments", "CB-2.D.2-2.png": "Enrichment of net.exe with correct ATT&CK Technique (System Service Discovery)", "": ""}}, "12.D.1": {"Procedure": "Empire: 'net start' via PowerShell", "DetectionCategories": [{"Telemetry": "Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments."}], "Screenshots": {"CB-12.A.D.1-1.png": "Telemetry from process tree showing net.exe with command-line arguments", "": ""}}, "12.E.1.8": {"Procedure": "Empire: WinEnum module included enumeration of services", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "16.H.1": {"Procedure": "Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed execution of sc.exe with command-line arguments to remotely query services on Creeper. Telemetry also showed module loads and a network connection to Creeper (10.0.0.4). "}, {" Enrichment ": " The capability enriched the sc.exe execution with the correct ATT&CK Technique (System Service Discovery)."}], "Screenshots": {"CB-16.H.1-1.png": "Telemetry from process tree showing sc.exe execution for the service query", "CB-16.H.1-2.png": "Telemetry showing module loads from execution of sc.exe to remotely query services on Creeper (10.0.0.4)", "CB-16.H.1-3.png": "Enrichment of sc.exe executing to query services with correct ATT&CK Technique (System Service Discovery)", "": ""}}, "16.J.1": {"Procedure": "Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed execution of sc.exe with command-line arguments to query the AdobeUpdater service on Creeper. "}, {" Enrichment ": " The capability enriched sc.exe execution with the correct ATT&CK Technique (System Service Discovery)."}], "Screenshots": {"CB-16.J.1-1.png": "Telemetry from process tree showing sc.exe execution to query the AdobeUpdater service on Creeper", "CB-16.H.1-3.png": "Enrichment of sc.exe executing query services with correct ATT&CK Technique (System Service Discovery)", "": ""}}, "17.A.1": {"Procedure": "Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services", "DetectionCategories": [{"Telemetry": "Telemetry within the process tree showed reg.exe executing with command-line arguments to check if terminal services were enabled. "}], "Screenshots": {"CB-17.A.1-1.png": "Telemetry from process tree showing reg.exe with command-line arguments", "": ""}}}}, "T1082": {"TechniqueName": "System Information Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.E.1": {"Procedure": "Cobalt Strike: 'systeminfo' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing systeminfo.exe."}, {" Enrichment": "The capability enriched systeminfo.exe with the correct ATT&CK Technique (System Information Discovery)."}], "Screenshots": {"CB-2.E.1-1.png": "Telemetry from process tree showing systeminfo.exe", "CB-2.E.1-2.png": "Enrichment of systeminfo.exe with correct ATT&CK Technique (System Information Discovery)", "": ""}}, "2.E.2": {"Procedure": "Cobalt Strike: 'net config workstation' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments."}, {" Enrichment": "The capability enriched net.exe with the correct ATT&CK Technique (System Information Discovery)."}], "Screenshots": {"CB-2.E.2-1.png": "Telemetry from process tree showing net.exe with command-line arguments", "CB-2.E.2-2.png": "Enrichment of net.exe with correct ATT&CK Technique (System Information Discovery)", "": ""}}, "12.E.1.6.1": {"Procedure": "Empire: WinEnum module included enumeration of system information", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.E.1.6.2": {"Procedure": "Empire: WinEnum module included enumeration of Windows update information", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1069": {"TechniqueName": "Permission Groups Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.F.1": {"Procedure": "Cobalt Strike: 'net localgroup administrators' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments."}, {" Enrichment": "The capability enriched net.exe with the correct ATT&CK Technique (Permission Groups Discovery) as well as the tag Administrator Enumeration."}], "Screenshots": {"CB-2.F.1-1.png": "Telemetry from process tree showing net.exe with command-line arguments", "CB-2.F.1-2.png": "Enrichment of net.exe with tag Administrator Enumeration", "CB-2.F.1-3.png": "Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery)", "": ""}}, "2.F.2": {"Procedure": "Cobalt Strike: 'net localgroup administrators /domain' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments."}, {" Enrichment": "The capability enriched net.exe with the correct ATT&CK Technique (Permission Groups Discovery) as well as the tag Administrator Enumeration."}], "Screenshots": {"CB-2.F.2-1.png": "Telemetry from process tree showing net.exe with command-line arguments", "CB-2.F.2-2.png": "Enrichment of net.exe with tag Administrator Enumeration", "CB-2.F.2-3.png": "Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery)", "": ""}}, "2.F.3": {"Procedure": "Cobalt Strike: 'net group \"Domain Admins\" /domain' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments."}, {" Enrichment": "The capability enriched net.exe with the correct ATT&CK Technique (Permission Groups Discovery) as well as the tag Administrator Enumeration."}], "Screenshots": {"CB-2.F.3-1.png": "Telemetry from process tree showing net.exe with command-line arguments", "CB-2.F.3-2.png": "Enrichment of net.exe with tag Administrator Enumeration", "CB-2.F.3-3.png": "Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery)", "": ""}}, "12.E.1.2": {"Procedure": "Empire: WinEnum module included enumeration of AD group memberships", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.F.1": {"Procedure": "Empire: 'net group \"Domain Admins\" /domain' via PowerShell", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments."}, {" Enrichment": " The capability enriched net.exe with the correct ATT&CK Technique (T1069 - Permission Groups Discovery)."}], "Screenshots": {"CB-12.F.1-1.png": "Telemetry from process tree showing net.exe with command-line arguments", "CB-12.F.1-3.png": "Enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery)", "": ""}}, "12.F.2": {"Procedure": "Empire: 'net\u00a0localgroup\u00a0administrators' via PowerShell", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments."}, {" Enrichment": " The capability enriched net.exe with the correct ATT&CK Technique (T1069 - Permission Groups Discovery)."}], "Screenshots": {"CB-12.F.2-1.png": "Telemetry from process tree showing net.exe with command-line arguments", "CB-12.F.1-3.png": "Enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery)", "": ""}}}}, "T1087": {"TechniqueName": "Account Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.G.1": {"Procedure": "Cobalt Strike: 'net user /domain' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments."}, {" Enrichment": "The capability enriched net.exe with the correct ATT&CK Technique (Account Discovery)."}], "Screenshots": {"CB-2.G.1-1.png": "Telemetry from process tree showing net.exe with command-line arguments", "CB-2.G.1-2.png": "Enrichment of net.exe with correct ATT&CK Technique (Account Discovery)", "": ""}}, "2.G.2": {"Procedure": "Cobalt Strike: 'net user george /domain' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments."}, {" Enrichment": "The capability enriched net.exe with the correct ATT&CK Technique (Account Discovery)."}], "Screenshots": {"CB-2.G.2-1.png": "Telemetry from process tree showing net.exe with command-line arguments", "CB-2.G.2-2.png": "Enrichment of net.exe with correct ATT&CK Technique (Account Discovery)", "": ""}}, "7.A.1": {"Procedure": "Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information."}], "Screenshots": {"CB-7.A.1-3.png": "Telemetry showing mmc.exe running lusrmgr.msc", "": ""}}, "12.G.1": {"Procedure": "Empire: 'net user' via PowerShell", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments."}, {" Enrichment": " The capability enriched net.exe with a related ATT&CK Technique (T1069 - Permission Groups Discovery)."}], "Screenshots": {"CB-12.G.1-1.png": "Telemetry from process tree showing net.exe with command-line arguments", "CB-12.F.1-3.png": "Enrichment of net.exe with related ATT&CK Technique (T1069 - Permission Groups Discovery)", "": ""}}, "12.G.2": {"Procedure": "Empire: 'net user /domain' via PowerShell", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments."}, {" Enrichment": " The capability enriched net.exe with a related ATT&CK Technique (T1069 - Permission Groups Discovery)."}], "Screenshots": {"CB-12.G.2-1.png": "Telemetry from process tree showing net.exe with command-line arguments", "CB-12.F.1-3.png": "Enrichment of net.exe with related ATT&CK Technique (T1069 - Permission Groups Discovery)", "": ""}}}}, "T1012": {"TechniqueName": "Query Registry", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.H.1": {"Procedure": "Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing reg.exe with command-line arguments."}, {" Enrichment": "The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry)."}], "Screenshots": {"CB-2.H.1-1.png": "Telemetry from process tree showing reg.exe with command-line arguments", "CB-2.H.1-2.png": "Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry)", "": ""}}, "6.A.1": {"Procedure": "Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)", "DetectionCategories": [{"Telemetry ": "Telemetry showed cmd.exe executing reg.exe with command-line arguments."}, {" Enrichment": " The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry)."}], "Screenshots": {"CB-6.A.1-1.png": "Telemetry from process tree showing reg.exe with command-line arguments", "CB-6.A.1-2.png": "Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry)", "": ""}}, "12.E.1.7": {"Procedure": "Empire: WinEnum module included enumeration of system information via a Registry query", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "13.C.1": {"Procedure": "Empire:\u00a0'reg query' via PowerShell to enumerate a specific Registry key", "DetectionCategories": [{"Telemetry ": "Telemetry showed a process tree containing reg.exe with command-line arguments. "}, {" Enrichment": " The capability enriched reg.exe data with the correct ATT&CK Technique (Query Registry)."}], "Screenshots": {"CB-13.C.1-1.png": "Telemetry showing process tree with reg.exe and command-line arguments", "CB-13.C.1-2.png": "Enrichment of reg.exe event with correct ATT&CK Technique (Query Registry)", "": ""}}, "17.A.1": {"Procedure": "Empire: 'reg query' via PowerShell to enumerate a specific Registry key", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed reg.exe executing with command-line arguments. "}, {" Enrichment ": " The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry)."}], "Screenshots": {"CB-17.A.1-1.png": "Telemetry from process tree showing reg.exe with command-line arguments", "CB-17.A.1-2.png": "Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry)", "": ""}}}}, "T1134": {"TechniqueName": "Access Token Manipulation", "TacticGroup": "Defense Evasion, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"3.A.1": {"Procedure": "Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token", "DetectionCategories": [{"Telemetry": "Telemetry showed svchost.exe, with the seclogon command-line argument, performing activity related to token manipulation."}], "Screenshots": {"CB-3.A.1-6.png": "Telemetry showing svchost.exe command line arguments, specifically seclogon", "CB-3.A.1-5.png": "Telemetry showing svchost.exe activity related to token manipulation", "": ""}}, "5.B.1": {"Procedure": "Cobalt Strike: Built-in token theft capability executed to change user context to George", "DetectionCategories": [{"Telemetry": "Telemetry showed a change in user execution context from Debbie to George between parent and child processes, which is indicative of token manipulation."}], "Screenshots": {"CB-5.B.1-2.png": "Telemetry showing parent cmd.exe process running under user context Debbie", "CB-5.B.1-3.png": "Telemetry showing child cmd.exe process running under user context George", "": ""}}}}, "T1088": {"TechniqueName": "Bypass User Account Control", "TacticGroup": "Defense Evasion, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"3.A.1": {"Procedure": "Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "14.A.1": {"Procedure": "Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1055": {"TechniqueName": "Process Injection", "TacticGroup": "Defense Evasion, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"3.C.1": {"Procedure": "Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe", "DetectionCategories": [{"Telemetry ": "Telemetry showed \\\"crossproc\\\" events indicative of Process Injection into cmd.exe."}, {" Specific Behavior": " A Specific Behavior alert was generated that was mapped to correct ATT&CK Technique (Process Injection)."}], "Screenshots": {"CB-3.C.1-2.png": "Telemetry showing open handles and thread injection into cmd.exe", "CB-3.C.1-3.png": "Telemetry showing CreateRemoteThread API call used for thread injection into cmd.exe", "CB-3.C.1-1.png": "Specific Behavior alert mapped to correct ATT&CK Technique (T1055 - Process Injection)", "": ""}}, "5.A.1": {"Procedure": "Cobalt Strike: Credential dump capability involved process injection into lsass", "DetectionCategories": [{"Telemetry": "Telemetry showed an open handle to a thread into lsass.exe, which is indicative of process injection."}], "Screenshots": {"CB-5.A.1-1.png": "Telemetry showing cross process events, specifically a handle to open thread into lsass.exe", "": ""}}, "5.A.2": {"Procedure": "Cobalt Strike: Hash dump capability involved process injection into lsass.exe", "DetectionCategories": [{"Telemetry ": "Telemetry showed a new thread and open handle into lsass.exe, which is indicative of process injection for credential dumping."}, {" Specific Behavior": "A Specific Behavior alert was generated showing the correct ATT&CK Technique (Credential Dumping)."}], "Screenshots": {"CB-5.A.2-2.png": "Telemetry showing cross process events, specifically a new thread and open handle into lsass.exe", "CB-5.A.2-4.png": "Specific Behavior alert showing correct ATT&CK Technique (Process Injection)", "CB-5.A.2-1.png": "Alert showing correct ATT&CK Technique (Process Injection) within process tree", "": ""}}, "8.D.1": {"Procedure": "Cobalt Strike: Screen capture capability involved process injection into explorer.exe", "DetectionCategories": [{"Telemetry": "Telemetry showed a cross-process \\\"open handle\\\" event into explorer.exe, which could be indicative of process injection."}], "Screenshots": {"CB-8.D.1-1.png": "Telemetry showing \\\"open handle\\\" crossproc on explorer.exe by the process", "": ""}}}}, "T1018": {"TechniqueName": "Remote System Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"4.A.1": {"Procedure": "Cobalt Strike: 'net group \"Domain Controllers\" /domain' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments."}, {" Enrichment": "The capability enriched net.exe with a related ATT&CK technique (Account Discovery)."}], "Screenshots": {"CB-4.A.1-1.png": "Telemetry from process tree showing net.exe with command-line arguments", "CB-4.A.1-2.png": "Enrichment of net.exe with related ATT&CK technique (Account Discovery)", "": ""}}, "4.A.2": {"Procedure": "Cobalt Strike: 'net group \"Domain Computers\" /domain' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments."}, {" Enrichment": "The capability enriched net.exe with a related ATT&CK technique (Account Discovery)."}], "Screenshots": {"CB-4.A.2-1.png": "Telemetry from process tree showing net.exe with command-line arguments", "CB-4.A.2-2.png": "Enrichment of net.exe with related ATT&CK technique (Account Discovery)", "": ""}}, "13.A.1": {"Procedure": "Empire: 'net group \"Domain Computers\" /domain' via PowerShell", "DetectionCategories": [{"Telemetry ": "Telemetry showed a process tree containing net.exe with command-line arguments. "}, {" Enrichment": " The capability enriched net.exe with a related ATT&CK Technique (Account Discovery)."}], "Screenshots": {"CB-13.A.1-1.png": "Telemetry showing process tree with net.exe and command-line arguments", "CB-13.A.1-2.png": "Enrichment of net.exe with related ATT&CK Technique (Account Discovery)", "": ""}}}}, "T1049": {"TechniqueName": "System Network Connections Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"4.C.1": {"Procedure": "Cobalt Strike: 'netstat -ano' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed cmd.exe executing netstat.exe with command-line arguments."}, {" Enrichment": "The capability enriched netstat.exe with the correct ATT&CK technique (System Network Connections Discovery)."}], "Screenshots": {"CB-4.C.1-1.png": "Telemetry from process tree showing netstat.exe with command-line arguments", "CB-4.C.1-2.png": "Enrichment of netstat.exe with correct ATT&CK technique (System Network Connections Discovery)", "": ""}}, "12.E.1.12": {"Procedure": "Empire: WinEnum module included enumeration of established network connections", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed netstat.exe executing with command-line arguments."}, {" Enrichment": " The capability enriched netstat.exe with the correct ATT&CK Technique (System Network Connections Discovery)."}], "Screenshots": {"CB-12.E.1.12-2.png": "Telemetry from process tree showing netstat.exe with command-line arguments", "CB-12.E.1.12-1.png": "Enrichment of netstat.exe with correct ATT&CK Technique (System Network Connections Discovery)", "": ""}}, "13.B.1": {"Procedure": "Empire: 'net use' via PowerShell", "DetectionCategories": [{"Enrichment ": "The capability enriched net.exe with a related ATT&CK Technique (Account Discovery)."}, {" Telemetry": "The vendor demonstrated to MITRE that the capability can provide telemetry of net.exe, but no screenshot was captured for this procedure."}], "Screenshots": {"CB-13.A.1-2.png": "Enrichment of net.exe with related ATT&CK Technique (Account Discovery)", "": ""}}, "13.B.2": {"Procedure": "Empire: 'netstat -ano' via PowerShell", "DetectionCategories": [{"Telemetry ": "Telemetry showed a process tree containing netstat.exe with command-line arguments. "}, {" Enrichment": " The capability enriched net.exe data with the correct ATT&CK Technique (T1049 - System Network Connections Discovery)."}], "Screenshots": {"CB-13.B.1-1.png": "Telemetry showing process tree with netstat.exe and command-line arguments", "CB-13.A.1-2.png": "Enrichment of netstat.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery)", "": ""}}}}, "T1003": {"TechniqueName": "Credential Dumping", "TacticGroup": "Credential Access", "PrimaryEnabling": "Primary", "Steps": {"5.A.1": {"Procedure": "Cobalt Strike: Built-in Mimikatz credential dump capability executed", "DetectionCategories": [{"Telemetry ": "Telemetry showed an open handle to a thread into lsass.exe, which is indicative of process injection for credential dumping."}, {" Specific Behavior": "A Specific Behavior alert was generated showing the correct ATT&CK Technique (Credential Dumping)."}], "Screenshots": {"CB-5.A.1-1.png": "Telemetry showing cross process events, specifically a handle to open thread into lsass.exe", "CB-5.A.1-4.png": "Specific Behavior alert showing correct ATT&CK Technique (Credential Dumping)", "": ""}}, "5.A.2": {"Procedure": "Cobalt Strike: Built-in hash dump capability executed", "DetectionCategories": [{"Telemetry": "Telemetry showed an open handle to a thread into lsass.exe, which is indicative of process injection for credential dumping."}], "Screenshots": {"CB-5.A.2-2.png": "Telemetry showing cross process events, specifically a handle to open thread into lsass.exe", "": ""}}}}, "T1026": {"TechniqueName": "Multiband Communication", "TacticGroup": "Command and Control", "PrimaryEnabling": "Primary", "Steps": {"6.B.1": {"Procedure": "Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS", "DetectionCategories": [{"Telemetry ": "Telemetry showed separate network connections over port TCP port 80 and UDP port 53, which could indicate multiband communication."}], "Screenshots": {"CB-6.B.1-2.png": "Telemetry showing network connection over TCP port 80", "CB-6.B.1-3.png": "Telemetry showing network connection over UDP port 53", "": ""}}}}, "T1076": {"TechniqueName": "Remote Desktop Protocol", "TacticGroup": "Lateral Movement", "PrimaryEnabling": "Primary", "Steps": {"6.C.1": {"Procedure": "Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)", "DetectionCategories": [{"Telemetry ": "Telemetry showed a connection to 10.0.0.5 (Conficker) over TCP port 3389 as well as rdpclip.exe executing."}, {" Enrichment": " The capability enriched the rdpclip.exe events with the correct ATT&CK Technique (Remote Desktop Protocol)."}], "Screenshots": {"CB-6.B.1-1.png": "Telemetry showing network connection over TCP port 3389 to 10.0.0.5 (Conficker)", "CB-6.C.1-3.png": "Telemetry showing rdpclip.exe running", "CB-6.C.1-1.png": "Enrichment of rdpclip.exe events with correct ATT&CK Technique (Remote Desktop Protocol)", "": ""}}, "10.B.1": {"Procedure": "RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed rdpclip.exe execution by the user Jesse on the destination system of the RDP connection."}, {" Enrichment": " The capability enriched rdpclip.exe with the correct ATT&CK Technique (Remote Desktop Protocol)."}], "Screenshots": {"CB-10.B.1-1.png": "Telemetry from process tree showing rdpclip.exe running as user Jesse", "CB-10.B.1-2.png": "Enrichment of rdpclip.exe with correct ATT&CK Technique (Remote Desktop Protocol)", "": ""}}, "20.A.1": {"Procedure": "RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1136": {"TechniqueName": "Create Account", "TacticGroup": "Persistence", "PrimaryEnabling": "Primary", "Steps": {"7.A.1": {"Procedure": "Added user Jesse to Conficker (10.0.0.5) through RDP connection", "DetectionCategories": [{"Telemetry ": "Telemetry showed Registry modification events related to the creation of the user account Jesse."}, {" Enrichment, Configuration Change": "The capability enriched lsass.exe with the tag \\\"Create Accounts using GUI\\\". [CB1]"}], "Screenshots": {"CB-7.A.1-2.png": "Telemetry showing Registry modifications for new user Jesse", "CB-7.A.1-4.png": "Enrichment of lsass.exe with tag \\\"Create Accounts using GUI\\\"", "": ""}}}}, "T1061": {"TechniqueName": "Graphical User Interface", "TacticGroup": "Execution", "PrimaryEnabling": "Primary", "Steps": {"7.A.1": {"Procedure": "Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in)."}], "Screenshots": {"CB-7.A.1-3.png": "Telemetry showing mmc.exe running lusrmgr.msc", "": ""}}}}, "T1105": {"TechniqueName": "Remote File Copy", "TacticGroup": "Command and Control, Lateral Movement", "PrimaryEnabling": "Primary", "Steps": {"7.B.1": {"Procedure": "Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)", "DetectionCategories": [{"Telemetry": "Telemetry showed file modification events indicating updater.dll being created and written to disk."}], "Screenshots": {"CB-7.B.1-1.png": "Telemetry showing updater.dll written to disk", "": ""}}, "14.A.1": {"Procedure": "Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk", "DetectionCategories": [{"Telemetry": "The vendor demonstrated to MITRE that the capability can provide telemetry of network connections and file modifications indicating a Remote File Copy, but no screenshot was captured for this procedure."}], "Screenshots": {"": ""}}, "16.E.1": {"Procedure": "Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)", "DetectionCategories": [{"Telemetry": "Telemetry showed filemods showing the creation and writing to autoupdate.vbs. "}], "Screenshots": {"CB-16.E.1-1.png": "Telemetry showing creation and write to autoupdate.vbs", "": ""}}, "16.G.1": {"Procedure": "Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry": "Telemetry showed filemods showing the creation and writing to update.vbs on remote host 10.0.0.4 (Creeper)."}], "Screenshots": {"CB-16.G.1-1.png": "Telemetry showing remote creation and write to update.vbs", "": ""}}, "19.A.1": {"Procedure": "Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)", "DetectionCategories": [{"Telemetry": "Telemetry showed the creation of recycler.exe.\u00a0"}], "Screenshots": {"CB-19.A.1-1.png": "Telemetry showing filemod (file modification) creation of recycler.exe", "": ""}}}}, "T1053": {"TechniqueName": "Scheduled Task", "TacticGroup": "Execution, Persistence, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"7.C.1": {"Procedure": "Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)", "DetectionCategories": [{"Telemetry ": "Telemetry showed the process tree containing schtasks.exe as well as the full command-line arguments."}, {" Specific Behavior": " A Specific Behavior alert was generated mapped to the correct ATT&CK Technique (T1053 - Scheduled Task)."}], "Screenshots": {"CB-7.C.1-1.png": "Telemetry showing process tree containing schtasks.exe and full command a task creation", "CB-7.C.1-2.png": "Specific Behavior alert mapped to correct ATT&CK Technique (T1053 - Scheduled Task)", "": ""}}, "10.A.2": {"Procedure": "Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32", "DetectionCategories": [{"Telemetry": "Telemetry within the process tree showed rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments \\\"-k netsvcs -p -s Schedule\\\"."}], "Screenshots": {"CB-10.A.2-1.png": "Telemetry from process tree showing svchost.exe parent of rundll32.exe process running with \\\"-k netsvcs -p -s Schedule\\\" arguments", "CB-10.A.2-2.png": "Telemetry from process tree showing updater.dll executed by rundll32.exe", "": ""}}}}, "T1083": {"TechniqueName": "File and Directory Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"8.A.1": {"Procedure": "Cobalt Strike: 'dir /s /b \"\\\\conficker\\wormshare\"' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry showed cmd.exe executing dir with command-line arguments."}, {" Enrichment": " The capability enriched cmd.exe with the correct ATT&CK Technique (T1083 - File and Directory Discovery)."}], "Screenshots": {"CB-8.A.1-1.png": "Telemetry from process tree showing dir with command-line arguments", "CB-8.C.1-2.png": "Enrichment of cmd.exe with correct ATT&CK Technique (T1083 - File and Directory Discovery)", "": ""}}, "8.A.2": {"Procedure": "Cobalt Strike: 'tree \"C:\\Users\\debbie\"' via cmd", "DetectionCategories": [{"Telemetry ": "Telemetry showed cmd.exe executing tree.com with command-line arguments."}, {" Enrichment": " The capability enriched tree.com with the correct ATT&CK Technique (T1083 - File and Directory Discovery)."}], "Screenshots": {"CB-8.A.1-2.png": "Telemetry from process tree showing tree.com with command-line arguments", "CB-8.C.1-2.png": "Enrichment of tree.com with correct ATT&CK Technique (T1083 - File and Directory Discovery)", "": ""}}, "9.A.1": {"Procedure": "Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.E.1.4.1": {"Procedure": "Empire: WinEnum module included enumeration of recently opened files", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.E.1.4.2": {"Procedure": "Empire: WinEnum module included enumeration of interesting files", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "16.K.1": {"Procedure": "Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "18.A.1": {"Procedure": "Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1056": {"TechniqueName": "Input Capture", "TacticGroup": "collection, Credential Access", "PrimaryEnabling": "Primary", "Steps": {"8.C.1": {"Procedure": "Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure.[CB2]"}], "Screenshots": {"": ""}}, "15.A.1": {"Procedure": "Empire: Built-in keylogging module executed to capture keystrokes of user Bob", "DetectionCategories": [{"Telemetry ": "Telemetry showed modloads associated with the execution of a keylogger. "}, {" Enrichment": " The capability enriched the events with a tag titled \\\"PowerShell Input Capture -keylogger\\\" based on known modloads that could be potentially abused to provide keylogger functionality."}], "Screenshots": {"CB-15.A.1-1.png": "Telemetry showing modloads associated with keylogger", "CB-15.A.1-3.png": "Enrichment of data with tag \\\"PowerShell Input Capture -keylogger\\\"", "": ""}}}}, "T1010": {"TechniqueName": "Application Window Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"8.C.1": {"Procedure": "Cobalt Strike: Keylogging capability included residual enumeration of application windows", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "15.A.1": {"Procedure": "Empire: Built-in keylogging module included residual enumeration of application windows", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1113": {"TechniqueName": "Screen Capture", "TacticGroup": "Collection", "PrimaryEnabling": "Primary", "Steps": {"8.D.1": {"Procedure": "Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure, though modloads showed the thumbnail com object masquerading followed by a modload of dwmapi.dll (Microsoft Desktop Windows Manager API) and then a crossprocess (open process) to the target application, which could be indicative of screen capture behavior."}], "Screenshots": {"CB-8.D.1-1.png": "Telemetry showing modloads and crossprocess events (does not count as a detection)", "": ""}}}}, "T1039": {"TechniqueName": "Data from Network Shared Drive", "TacticGroup": "collection", "PrimaryEnabling": "Primary", "Steps": {"9.B.1": {"Procedure": "Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "18.B.1": {"Procedure": "Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure.[CB90]\u00a0"}], "Screenshots": {"": ""}}}}, "T1041": {"TechniqueName": "Exfiltration Over Command and Control Channel", "TacticGroup": "Exfiltration", "PrimaryEnabling": "Primary", "Steps": {"9.B.1": {"Procedure": "Cobalt Strike: Download capability exfiltrated data through existing C2 channel", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1078": {"TechniqueName": "Valid Accounts", "TacticGroup": "Defense Evasion, Persistence, Privilege Escalation, Initial Access", "PrimaryEnabling": "Primary", "Steps": {"10.B.1": {"Procedure": "RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed rdpclip.exe execution by the user Jesse on the destination system of the RDP connection."}, {" Enrichment": " The capability enriched rdpclip.exe with the correct ATT&CK Technique (Remote Desktop Protocol)."}], "Screenshots": {"CB-10.B.1-1.png": "Telemetry from process tree showing rdpclip.exe running as user Jesse", "CB-10.B.1-2.png": "Enrichment of rdpclip.exe with correct ATT&CK Technique (Remote Desktop Protocol)", "": ""}}, "16.B.1": {"Procedure": "Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick", "DetectionCategories": [{"Telemetry": "Telemetry showed a process tree containing a successful logon via net.exe."}], "Screenshots": {"CB-16.B.1-1.png": "Telemetry showing process tree with five different net.exe logon attempts, including a success", "CB-16.B.1-2.png": "Telemetry showing successful logon via net.exe", "": ""}}, "16.D.1": {"Procedure": "Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick", "DetectionCategories": [{"Telemetry": "Telemetry showed a process tree containing a logon attempt via net.exe and command-line arguments using valid account credentials."}], "Screenshots": {"CB-16.D.1-1.png": "Telemetry showing process tree with logon using valid account credentials", "": ""}}}}, "T1086": {"TechniqueName": "PowerShell", "TacticGroup": "Execution", "PrimaryEnabling": "Enabling", "Steps": {"11.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.A.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.D.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.E.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.F.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.F.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.G.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.G.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "13.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "13.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "13.B.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "13.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "15.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.H.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.I.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.J.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.K.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.L.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "17.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "17.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "17.B.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "17.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "18.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "18.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "19.D.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "19.D.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}}}, "T1032": {"TechniqueName": "Standard Cryptographic Protocol", "TacticGroup": "Command and Control", "PrimaryEnabling": "Primary", "Steps": {"11.B.1": {"Procedure": "Empire: Encrypted C2 channel established using HTTPS", "DetectionCategories": [{"Telemetry": "Telemetry showed modload events importing dynamic libraries usually used for HTTP and SSL communication (e.g. winhttp.dll), followed by a CRL check to a CA, indicating that HTTPS was likely used."}], "Screenshots": {"CB-11.B.1-2.png": "Telemetry showing modloads and certificate check", "": ""}}}}, "T1201": {"TechniqueName": "Password Policy Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"12.E.1.3": {"Procedure": "Empire: WinEnum module included enumeration of password policy information", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1115": {"TechniqueName": "Clipboard Data", "TacticGroup": "collection", "PrimaryEnabling": "Primary", "Steps": {"12.E.1.5": {"Procedure": "Empire: WinEnum module included enumeration of clipboard contents", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1135": {"TechniqueName": "Network Share Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"12.E.1.9.1": {"Procedure": "Empire: WinEnum module included enumeration of available shares", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.E.1.9.2": {"Procedure": "Empire: WinEnum module included enumeration of mapped network drives", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1063": {"TechniqueName": "Security Software Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"12.E.1.10.1": {"Procedure": "Empire: WinEnum module included enumeration of AV solutions", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.E.1.10.2": {"Procedure": "Empire: WinEnum module included enumeration of firewall rules", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1081": {"TechniqueName": "Credentials in Files", "TacticGroup": "Credential Access", "PrimaryEnabling": "Primary", "Steps": {"15.B.1": {"Procedure": "Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1110": {"TechniqueName": "Brute Force", "TacticGroup": "Credential Access", "PrimaryEnabling": "Primary", "Steps": {"16.A.1": {"Procedure": "Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users\u00a0Kmitnick, Bob, and Frieda", "DetectionCategories": [{"Telemetry ": "Telemetry showed a process tree containing repeated logon attempts via net.exe and command-line arguments indicative of password spraying."}, {" Enrichment, Configuration Change": " The capability enriched individual net.exe events with tagging titled \\\"Credential Access using Admin Shares - Failed Attempts\\\". [CB8]"}], "Screenshots": {"CB-16.A.1-1.png": "Telemetry showing process tree with four different net.exe logon attempts", "CB-16.B.1-2.png": "Enrichment of the individual net.exe logon attempts with tag \\\"Credential Access using Admin Shares - Failed Attempts\\\"", "": ""}}, "16.B.1": {"Procedure": "Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying", "DetectionCategories": [{"Telemetry ": "Telemetry showed a process tree containing repeated logon attempts via net.exe and command-line arguments indicative of password spraying, eventually resulting in a successful logon."}, {" Enrichment, Configuration Change": " The capability enriched individual net.exe events with tagging titled \\\"Credential Access using Admin Shares - Failed Attempts\\\" for failures as well as a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) for successful logons. [CB8]"}], "Screenshots": {"CB-16.B.1-1.png": "Telemetry showing process tree with five different net.exe logon attempts, including a success", "CB-16.B.1-2.png": "Enrichment of the individual net.exe logon attempts, successful logons mapped to related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement)", "": ""}}}}, "T1077": {"TechniqueName": "Windows Admin Shares", "TacticGroup": "Lateral Movement", "PrimaryEnabling": "Primary", "Steps": {"16.A.1": {"Procedure": "Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)", "DetectionCategories": [{"Telemetry ": "Telemetry showed a process tree containing repeated logon attempts via net.exe targeting ADMIN$."}, {" Specific Behavior": " Specific Behavior alerts titled \\\"Windows Admin Shares - Lateral Movement\\\" were generated for credential accesses specifically targeting admin shares."}], "Screenshots": {"CB-16.A.1-1.png": "Telemetry showing process tree with four different net.exe logon attempts targeting ADMIN$", "CB-16.A.1-3.png": "Specific Behavior alerts for of the 4 different net.exe logon attempts", "": ""}}, "16.B.1": {"Procedure": "Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)\u00a0", "DetectionCategories": [{"Telemetry ": "Telemetry showed a process tree containing repeated logon attempts via net.exe targeting ADMIN$, eventually resulting in a successful logon."}, {" Specific Behavior": " Specific Behavior alerts were generated mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) for successful logons."}], "Screenshots": {"CB-16.B.1-1.png": "Telemetry showing process tree with five different net.exe logon attempts targeting ADMIN$", "CB-16.B.1-2.png": "Specific Behavior alerts for a successful logon mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement)", "": ""}}, "16.D.1": {"Procedure": "Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)", "DetectionCategories": [{"Telemetry ": "Telemetry showed a process tree containing a logon attempt via net.exe and command-line arguments \u00a0targeting C$ using valid account credentials."}, {" Specific Behavior": " \u00a0Specific Behavior alerts were generated mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) for successful logons."}], "Screenshots": {"CB-16.D.1-1.png": "Telemetry showing process tree with successful net.exe logon targeting C$", "CB-16.D.1-2.png": "Specific Behavior alerts for a successful logon mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement)", "": ""}}}}, "T1126": {"TechniqueName": "Network Share Connection Removal", "TacticGroup": "Defense Evasion", "PrimaryEnabling": "Primary", "Steps": {"16.C.1": {"Procedure": "Empire: 'net use /delete' via PowerShell", "DetectionCategories": [{"Telemetry ": "Telemetry showed a process tree containing net.exe and command-line arguments. "}, {" Specific Behavior": " A Specific Behavior alert was generated indicating that a connected network share was removed."}], "Screenshots": {"CB-16.C.1-1.png": "Telemetry showing process tree with net.exe and command-line arguments", "CB-16.B.1-2.png": "Specific Behavior alerts for removing connected network share", "": ""}}}}, "T1036": {"TechniqueName": "Masquerading", "TacticGroup": "Defense Evasion", "PrimaryEnabling": "Primary", "Steps": {"16.I.1": {"Procedure": "Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry": "Telemetry within the process trees showed execution of sc.exe with command-line arguments to create the AdobeUpdater service with binPath pointed to cmd.exe with arguments to execute update.vbs and a suspicious service description, which indicates masquerading."}], "Screenshots": {"CB-16.I.1-2.png": "Telemetry from process tree showing sc.exe execution setting the AdobeUpdater service description", "CB-16.I.1-1.png": "Telemetry from process tree showing sc.exe execution creating the AdobeUpdater service", "": ""}}, "19.A.1": {"Procedure": "Empire: File dropped to disk is a renamed copy of the WinRAR binary", "DetectionCategories": [{"Telemetry": "Telemetry showed the creation of recycler.exe. Binary metadata on recycler.exe indicated it was masquerading and had a digital signature and file metadata that matched the WinRAR utility."}], "Screenshots": {"CB-19.A.1-1.png": "Telemetry showing filemod creation of recycler.exe", "CB-19.A.1-2.png": "Binary metadata showing recycler.exe is WinRAR.exe based on digital signature and file version information", "": ""}}, "19.B.1": {"Procedure": "Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary", "DetectionCategories": [{"Telemetry ": "Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. "}, {" Specific Behavior": " A Specific Behavior alert was generated on execution of recycler.exe indicating it was WinRAR and was masquerading as a renamed process."}], "Screenshots": {"CB-19.A.1-1.png": "Telemetry showing recycler.exe and command-line arguments with arguments indicating it is WinRAR", "CB-19.B.1-5.png": "Specific Behavior alert for recycler.exe masquerading as a renamed WinRAR process", "": ""}}}}, "T1050": {"TechniqueName": "New Service", "TacticGroup": "Persistence, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"16.I.1": {"Procedure": "Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed execution of sc.exe with command-line arguments to create a new AdobeUpdater service containing a binPath pointed to cmd.exe with arguments to execute update.vbs. "}, {" Specific Behavior ": " A Specific Behavior alert was generated for sc.exe execution to create the AdobeUpdater service with the correct ATT&CK Technique (New Service)."}], "Screenshots": {"CB-16.I.1-1.png": "Telemetry from process tree showing sc.exe execution creating the AdobeUpdater service", "CB-16.H.1-3.png": "Specific Behavior alert on sc.exe executing to create the AdobeUpdater service mapped to ATT&CK", "": ""}}}}, "T1035": {"TechniqueName": "Service Execution", "TacticGroup": "Execution", "PrimaryEnabling": "Primary", "Steps": {"16.L.1": {"Procedure": "Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry": "Telemetry within the process tree showed execution of sc.exe with command-line arguments to start the AdobeUpdater service on Creeper."}], "Screenshots": {"CB-16.L.1-1.png": "Telemetry from process tree showing sc.exe execution to start the AdobeUpdater service on Creeper", "": ""}}}}, "T1222": {"TechniqueName": "File Permissions Modification", "TacticGroup": "Defense Evasion", "PrimaryEnabling": "Primary", "Steps": {"17.B.1": {"Procedure": "Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed execution of takeown.exe with command-line arguments on magnify.exe. "}, {" Enrichment, Configuration Change ": " The capability enriched the execution of takeown.exe with \\\"Permission modifications\\\".[CB1]"}], "Screenshots": {"CB-17.B.1-1.png": "Telemetry from process tree showing takeown.exe with command-line arguments", "CB-17.A.1-2.png": "Enrichment of takeown.exe execution with tag \\\"Permission modifications\\\"", "": ""}}, "17.B.2": {"Procedure": "Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree showed execution of icacls.exe with command-line arguments on magnify.exe. "}, {" Enrichment, Configuration Change ": " The capability enriched the execution of icacls.exe with \\\"Permission modifications\\\".[CB1]"}], "Screenshots": {"CB-17.B.2-1.png": "Telemetry from process tree showing icacls.exe with command-line arguments", "CB-17.A.1-2.png": "Enrichment of icacls.exe execution with tag \\\"Permission modifications\\\"", "": ""}}}}, "T1015": {"TechniqueName": "Accessibility Features", "TacticGroup": "Persistence, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"17.C.1": {"Procedure": "Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe", "DetectionCategories": [{"Telemetry ": "Telemetry showed filemod events overwriting magnify.exe in the system directory. "}, {" Specific Behavior": " A Specific Behavior alert was generated for powershell.exe with a severity score of 51/100 when magnify.exe was replaced. The alert was also mapped to the correct ATT&CK Technique (T1015 - Accessibility Features)."}], "Screenshots": {"CB-17.C.1-1.png": "Telemetry showing creation and file write replacing magnify.exe in the system directory", "CB-17.A.1-2.png": "Specific Behavior alert on powershell.exe when it replaced magnify.exe (mapped to correct ATT&CK Technique, T1015 - Accessibility Features)", "": ""}}, "20.A.1": {"Procedure": "magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry ": "Telemetry within the process tree that showed magnify.exe executing from utilman.exe."}, {" Specific Behavior ": " A Specific Behavior alert was generated on execution of magnify.exe named \\\"Suspicious screen magnifier\u00a0process\\\" with a 76/100 severity score. "}, {" General Behavior ": " A General Behavior alert was generated named \\\"Suspicious renamed cmd process\\\" with a 72/100 severity score. "}, {" General Behavior": " A General Behavior alert was generated named \\\"Execution of cmd from non-standard path\\\" with a 60/100 severity score."}], "Screenshots": {"CB-20.B.1-1.png": "Telemetry from process tree telemetry showing magnify.exe execution", "CB-20.B.1-2.png": "Three alerts (one Specific Behavior and two General Behavior alerts) from execution of magnify.exe\u00a0showing red severity scores", "": ""}}}}, "T1074": {"TechniqueName": "Data Staged", "TacticGroup": "collection", "PrimaryEnabling": "Primary", "Steps": {"18.B.1": {"Procedure": "Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\\$Recycle.Bin) on CodeRed (10.0.1.5)", "DetectionCategories": [{"Telemetry ": "Telemetry showed filemod events for the creation and write the .vsdx in the Recycle Bin. "}, {" Specific Behavior": " A Specific Behavior alert was generated with a severity score of 60/100 and was correctly mapped to correct ATT&CK Technique (T1074 - Data Staged)."}], "Screenshots": {"CB-18.B.1-1.png": "Telemetry showing creation of the .vsdx file in the Recycle Bin", "CB-18.B.1-2.png": "Specific Behavior alert on the file write of the .vsdx file in the Recycle Bin (showing red severity score, mapped to correct ATT&CK Technique, T1074 - Data Staged)", "": ""}}}}, "T1002": {"TechniqueName": "Data Compressed", "TacticGroup": "Exfiltration", "PrimaryEnabling": "Primary", "Steps": {"19.B.1": {"Procedure": "Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file", "DetectionCategories": [{"Telemetry ": "Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. Telemetry also showed the creation of old.rar as the output of recycler.exe running."}, {" Enrichment": "The capability enriched recycler.exe with the correct ATT&CK Technique (1002 - Data Compressed)."}], "Screenshots": {"CB-19.B.1-3.png": "Process tree with telemetry showing recycler.exe and command-line arguments", "CB-19.B.1-1.png": "Telemetry showing filemod (file modification) creation of old.rar output of recycler.exe", "CB-19.B.1-2.png": "Enrichment of recycler.exe with correct ATT&CK Technique (1002 - Data Compressed)", "": ""}}}}, "T1022": {"TechniqueName": "Data Encrypted", "TacticGroup": "Exfiltration", "PrimaryEnabling": "Primary", "Steps": {"19.B.1": {"Procedure": "Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file", "DetectionCategories": [{"Telemetry ": "Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. "}, {" Enrichment": "The capability enriched recycler.exe with the correct ATT&CK Technique (1022 - Data Encrypted)."}], "Screenshots": {"CB-19.A.1-1.png": "Telemetry showing recycler.exe and command-line arguments with encryption password", "CB-19.B.1-2.png": "Enrichment of recycler.exe with correct ATT&CK Technique (1022 - Data Encrypted)", "": ""}}}}, "T1048": {"TechniqueName": "Exfiltration Over Alternative Protocol", "TacticGroup": "Exfiltration", "PrimaryEnabling": "Primary", "Steps": {"19.C.1": {"Procedure": "Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel", "DetectionCategories": [{"Telemetry ": "Telemetry showed a process tree for ftp.exe being executed with command-line arguments including ftp.txt. The contents of ftp.txt was not seen. "}, {" Enrichment": " The capability enriched ftp.exe with the correct ATT&CK Technique (Exfil Over Alternate Protocol)."}], "Screenshots": {"CB-19.C.1-1.png": "Telemetry from process tree showing execution of ftp.exe with command-line arguments", "CB-19.C.1-2.png": "Enrichment of ftp.exe with correct ATT&CK Technique (Exfil Over Alternate Protocol)", "": ""}}}}, "T1107": {"TechniqueName": "File Deletion", "TacticGroup": "Defense Evasion", "PrimaryEnabling": "Primary", "Steps": {"19.D.1": {"Procedure": "Empire: 'del C:\\\"$\"Recycle.bin\\old.rar'", "DetectionCategories": [{"Telemetry": "Telemetry showed the deletion of old.rar."}], "Screenshots": {"CB-19.D.1-1.png": "Telemetry showing filemod (file modification) deletion of old.rar", "": ""}}, "19.D.2": {"Procedure": "Empire: 'del recycler.exe'", "DetectionCategories": [{"Telemetry": "Telemetry showed the deletion of recycler.exe."}], "Screenshots": {"CB-19.D.1-1.png": "Telemetry showing filemod (file modification) deletion of recycler.exe", "": ""}}}}} -------------------------------------------------------------------------------- /data/RSA.1.APT3.1_Results.json: -------------------------------------------------------------------------------- 1 | {"T1204": {"TechniqueName": "User Execution", "TacticGroup": "Execution", "PrimaryEnabling": "Primary", "Steps": {"1.A.1": {"Procedure": "Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of Resume Viewer.exe."}], "Screenshots": {"RSA-01-1.png": "Telemetry showing Resume Viewer.exe execution", "": ""}}}}, "T1064": {"TechniqueName": "Scripting", "TacticGroup": "Defense Evasion, Execution", "PrimaryEnabling": "Primary", "Steps": {"1.A.1": {"Procedure": "Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure, though telemetry showed the execution sequence of Resume Viewer.exe executing cmd.exe, which executed rundll32.exe (the pdfhelper.cmd script was not shown)."}], "Screenshots": {"RSA-01-1.png": "Telemetry showing Resume Viewer.exe execution (does not count as a detection)", "": ""}}, "11.A.1": {"Procedure": "Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)", "DetectionCategories": [{"Telemetry": "Telemetry showed wscript.exe executing autoupdate.vbs and the subsequent PowerShell child process. [RS1]"}], "Screenshots": {"RSA-11-1.png": "Telemetry showing the autoupdate.vbs script executed by wscript.exe", "": ""}}, "12.E.1": {"Procedure": "Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques", "DetectionCategories": [{"Telemetry": "Telemetry showed PowerShell running and a PowerShell script being written to disk that coincided with the execution of WinEnum."}], "Screenshots": {"RSA-12-3.png": "Telemetry showing a PowerShell script written to disk", "": ""}}}}, "T1085": {"TechniqueName": "Rundll32", "TacticGroup": "Defense Evasion, Execution", "PrimaryEnabling": "Primary", "Steps": {"1.A.1": {"Procedure": "Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe launching rundll32.exe."}], "Screenshots": {"RSA-01-1.png": "Telemetry showing execution of Resume Viewer.exe", "": ""}}}}, "T1060": {"TechniqueName": "Registry Run Keys / Startup Folder", "TacticGroup": "Persistence", "PrimaryEnabling": "Primary", "Steps": {"1.B.1": {"Procedure": "Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder", "DetectionCategories": [{"Telemetry": "Telemetry showed a cmd.exe \\\"rename to executable\\\" event for autoupdate.bat in the Startup folder."}], "Screenshots": {"RSA-01-1.png": "Telemetry showing cmd.exe \\\"rename to executable\\\" event for autoupdate.bat in Startup folder", "": ""}}, "10.A.1": {"Procedure": "Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder."}], "Screenshots": {"RSA-10-1.png": "Telemetry showing the execution of autoupdate.bat from the Startup Folder", "": ""}}}}, "T1043": {"TechniqueName": "Commonly Used Port", "TacticGroup": "Command and Control", "PrimaryEnabling": "Primary", "Steps": {"1.C.1": {"Procedure": "Cobalt Strike: C2 channel established using port 53", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "6.B.1": {"Procedure": "Cobalt Strike: C2 channel modified to use port 80", "DetectionCategories": [{"Telemetry": "Telemetry showed connections over TCP port 80 to freegoogleadsenseinfo.com (C2 domain)."}], "Screenshots": {"RSA-06-2.png": "Telemetry showing TCP port 80 connections to freegoogleadsenseinfo.com (C2 domain)", "": ""}}, "11.B.1": {"Procedure": "Empire: C2 channel established using port 443", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection over port 443 and to letsencrypt.org (no protocol was identified for this traffic)."}], "Screenshots": {"RSA-11-2.png": "Telemetry showing network connections, including over port 443 (does not count as a detection)", "": ""}}, "14.A.1": {"Procedure": "Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080", "DetectionCategories": [{"Telemetry": "Telemetry showed network connection to 192.168.0.5 (C2 server) over port 8080. Though it does not count as a detection, telemetry also showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080."}], "Screenshots": {"RSA-14-2.png": "Telemetry showing network connection to 192.168.0.5 (C2 server) over port 8080", "RSA-14-1.png": "Telemetry of decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability)", "": ""}}}}, "T1071": {"TechniqueName": "Standard Application Layer Protocol", "TacticGroup": "Command and Control", "PrimaryEnabling": "Primary", "Steps": {"1.C.1": {"Procedure": "Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "6.B.1": {"Procedure": "Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure, though telemetry showed a connection to TCP port 80 (no detection showed HTTP specifically)."}], "Screenshots": {"": ""}}, "11.B.1": {"Procedure": "Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com", "DetectionCategories": [{"Telemetry": "Telemetry showed powershell.exe making a connection over port 443 to freegoogleadsenseinfo.com (C2 domain)."}], "Screenshots": {"RSA-11-2.png": "Telemetry showing network connections, including over port 443", "": ""}}, "14.A.1": {"Procedure": "Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080."}], "Screenshots": {"RSA-14-1.png": "Telemetry showing decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability)", "": ""}}}}, "T1132": {"TechniqueName": "Data Encoding", "TacticGroup": "Command and Control", "PrimaryEnabling": "Primary", "Steps": {"1.C.1": {"Procedure": "Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1059": {"TechniqueName": "Command-Line Interface", "TacticGroup": "Execution", "PrimaryEnabling": "Enabling", "Steps": {"2.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.A.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.C.2 ": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.D.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.D.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.E.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.E.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.F.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.F.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.F.3": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.G.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.G.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.H.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "4.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "4.A.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "4.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "4.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "6.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "7.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "8.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "8.A.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.F.1": {"Procedure": "Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick\u00a0", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing autoupdate.vbs via wscript.exe as user Kmitnick\u00a0"}], "Screenshots": {"RSA-16-6.png": "Telemetry showing cmd.exe and executing autoupdate.vbs as user Kmitnick", "": ""}}}}, "T1016": {"TechniqueName": "System Network Configuration Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.A.1": {"Procedure": "Cobalt Strike: 'ipconfig /all' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing ipconfig.exe with command-line arguments."}], "Screenshots": {"RSA-02-1.png": "Telemetry showing ipconfig.exe with command-line arguments", "": ""}}, "2.A.2": {"Procedure": "Cobalt Strike: 'arp -a' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing arp.exe with command-line arguments."}], "Screenshots": {"RSA-02-1.png": "Telemetry showing arp.exe with command-line arguments", "": ""}}, "4.B.1": {"Procedure": "Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe running netsh.exe with command-line arguments."}], "Screenshots": {"RSA-04-1.png": "Telemetry showing netsh.exe with command-line arguments", "": ""}}, "12.A.1": {"Procedure": "Empire: 'route print' via PowerShell", "DetectionCategories": [{"Telemetry": "Telemetry showed powershell.exe executing route.exe with command-line arguments."}], "Screenshots": {"RSA-12-1.png": "Telemetry showing route.exe with command-line arguments", "": ""}}, "12.A.2": {"Procedure": "Empire: 'ipconfig /all' via PowerShell", "DetectionCategories": [{"Telemetry": "Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments."}], "Screenshots": {"RSA-12-1.png": "Telemetry showing ipconfig.exe with command-line arguments", "": ""}}, "12.E.1.11": {"Procedure": "Empire: WinEnum module included enumeration of network adapters", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1033": {"TechniqueName": "System Owner/User Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.B.1": {"Procedure": "Cobalt Strike: 'echo' via cmd to enumerate specific environment variables", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing echo with command-line arguments."}], "Screenshots": {"RSA-02-1.png": "Telemetry showing echo with command-line arguments", "": ""}}, "12.B.1": {"Procedure": "Empire: 'whoami /all /fo list' via PowerShell", "DetectionCategories": [{"Telemetry": "Telemetry showed powershell.exe executing whoami.exe with command-line arguments."}], "Screenshots": {"RSA-12-1.png": "Telemetry showing whoami.exe with command-line arguments", "": ""}}, "12.E.1.1": {"Procedure": "Empire: WinEnum module included enumeration of user information", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "20.B.1": {"Procedure": "Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of whoami.exe."}], "Screenshots": {"RSA-20-1.png": "Telemetry showing whoami.exe execution", "": ""}}}}, "T1106": {"TechniqueName": "Execution through API", "TacticGroup": "Execution", "PrimaryEnabling": "Enabling", "Steps": {"2.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "3.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "8.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "8.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "8.D.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "9.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "9.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.E.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}}}, "T1057": {"TechniqueName": "Process Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.C.1": {"Procedure": "Cobalt Strike: 'ps' (Process status) via Win32 APIs", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "2.C.2 ": {"Procedure": "Cobalt Strike: 'tasklist /v' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing tasklist.exe with command-line arguments."}], "Screenshots": {"RSA-02-1.png": "Telemetry showing tasklist.exe with command-line arguments", "RSA-02-2.png": "Additional telemetry showing tasklist.exe with command-line arguments", "": ""}}, "3.B.1": {"Procedure": "Cobalt Strike: 'ps' (Process status) via Win32 APIs", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "8.B.1": {"Procedure": "Cobalt Strike: 'ps' (Process status) via Win32 APIs", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.C.1": {"Procedure": "Empire: 'qprocess *' via PowerShell", "DetectionCategories": [{"Telemetry": "Telemetry showed powershell.exe executing qprocess.exe with command-line arguments."}], "Screenshots": {"RSA-12-1.png": "Telemetry showing qprocess.exe with command-line arguments", "": ""}}}}, "T1007": {"TechniqueName": "System Service Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.D.1": {"Procedure": "Cobalt Strike: 'sc query' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing sc.exe with command-line arguments."}], "Screenshots": {"RSA-02-2.png": "Telemetry showing sc.exe with command-line arguments", "": ""}}, "2.D.2": {"Procedure": "Cobalt Strike: 'net start' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing net.exe with command-line arguments."}], "Screenshots": {"RSA-02-2.png": "Telemetry showing net.exe with command-line arguments", "": ""}}, "12.D.1": {"Procedure": "Empire: 'net start' via PowerShell", "DetectionCategories": [{"Telemetry": "Telemetry showed powershell.exe executing net.exe with command-line arguments."}], "Screenshots": {"RSA-12-1.png": "Telemetry showing net.exe with command-line arguments", "": ""}}, "12.E.1.8": {"Procedure": "Empire: WinEnum module included enumeration of services", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "16.H.1": {"Procedure": "Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of sc.exe to query services on 10.0.0.4 (Creeper)."}], "Screenshots": {"RSA-16-7.png": "Telemetry showing execution of sc.exe to query services on 10.0.0.4 (Creeper)", "": ""}}, "16.J.1": {"Procedure": "Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of sc.exe to query for the AdobeUpdater service on 10.0.0.4 (Creeper)."}], "Screenshots": {"RSA-16-7.png": "Telemetry showing execution of sc.exe to query the AdobeUpdater service on 10.0.0.4 (Creeper)", "": ""}}, "17.A.1": {"Procedure": "Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services", "DetectionCategories": [{"Telemetry": "Telemetry showed reg.exe executing with command-line arguments indicating a check to see if terminal services was enabled."}], "Screenshots": {"RSA-17-1.png": "Telemetry showing reg.exe query for terminal server setting", "": ""}}}}, "T1082": {"TechniqueName": "System Information Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.E.1": {"Procedure": "Cobalt Strike: 'systeminfo' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing systeminfo.exe."}], "Screenshots": {"RSA-02-3.png": "Telemetry showing systeminfo.exe", "": ""}}, "2.E.2": {"Procedure": "Cobalt Strike: 'net config workstation' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing net.exe with command-line arguments."}], "Screenshots": {"RSA-02-3.png": "Telemetry showing net.exe with command-line arguments", "": ""}}, "12.E.1.6.1": {"Procedure": "Empire: WinEnum module included enumeration of system information", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.E.1.6.2": {"Procedure": "Empire: WinEnum module included enumeration of Windows update information", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1069": {"TechniqueName": "Permission Groups Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.F.1": {"Procedure": "Cobalt Strike: 'net localgroup administrators' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing net.exe with command-line arguments."}], "Screenshots": {"RSA-02-3.png": "Telemetry showing net.exe with command-line arguments", "": ""}}, "2.F.2": {"Procedure": "Cobalt Strike: 'net localgroup administrators /domain' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing net.exe with command-line arguments."}], "Screenshots": {"RSA-02-3.png": "Telemetry showing net.exe with command-line arguments", "": ""}}, "2.F.3": {"Procedure": "Cobalt Strike: 'net group \"Domain Admins\" /domain' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing net.exe with command-line arguments."}, {" Enrichment": " An \\\"IIOC\\\" module called \\\"Enumerates domain administrators\\\" was generated and provided enrichment."}], "Screenshots": {"RSA-02-3.png": "Telemetry showing net.exe with command-line arguments", "RSA-02-5.png": "Event enrichment from IIOC module \\\"Enumerates domain administrators\\\"", "": ""}}, "12.E.1.2": {"Procedure": "Empire: WinEnum module included enumeration of AD group memberships", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.F.1": {"Procedure": "Empire: 'net group \"Domain Admins\" /domain' via PowerShell", "DetectionCategories": [{"Telemetry": "Telemetry showed powershell.exe executing net.exe with command-line arguments."}], "Screenshots": {"RSA-12-2.png": "Telemetry showing net.exe with command-line arguments", "": ""}}, "12.F.2": {"Procedure": "Empire: 'net\u00a0localgroup\u00a0administrators' via PowerShell", "DetectionCategories": [{"Telemetry": "Telemetry showed powershell.exe executing net.exe with command-line arguments."}], "Screenshots": {"RSA-12-2.png": "Telemetry showing net.exe with command-line arguments", "": ""}}}}, "T1087": {"TechniqueName": "Account Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.G.1": {"Procedure": "Cobalt Strike: 'net user /domain' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing net.exe with command-line arguments."}], "Screenshots": {"RSA-02-3.png": "Telemetry showing net.exe with command-line arguments", "": ""}}, "2.G.2": {"Procedure": "Cobalt Strike: 'net user george /domain' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing net.exe with command-line arguments."}], "Screenshots": {"RSA-02-4.png": "Telemetry showing net.exe with command-line arguments", "": ""}}, "7.A.1": {"Procedure": "Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.G.1": {"Procedure": "Empire: 'net user' via PowerShell", "DetectionCategories": [{"Telemetry": "Telemetry showed powershell.exe executing net.exe with command-line arguments."}], "Screenshots": {"RSA-12-2.png": "Telemetry showing net.exe with command-line arguments", "": ""}}, "12.G.2": {"Procedure": "Empire: 'net user /domain' via PowerShell", "DetectionCategories": [{"Telemetry": "Telemetry showed powershell.exe executing net.exe with command-line arguments."}], "Screenshots": {"RSA-12-2.png": "Telemetry showing net.exe with command-line arguments", "": ""}}}}, "T1012": {"TechniqueName": "Query Registry", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.H.1": {"Procedure": "Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing reg.exe with command-line arguments."}], "Screenshots": {"RSA-02-4.png": "Telemetry showing reg.exe with command-line arguments", "": ""}}, "6.A.1": {"Procedure": "Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing reg.exe with command-line arguments."}], "Screenshots": {"RSA-06-1.png": "Telemetry showing reg.exe with command-line arguments", "": ""}}, "12.E.1.7": {"Procedure": "Empire: WinEnum module included enumeration of system information via a Registry query", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "13.C.1": {"Procedure": "Empire:\u00a0'reg query' via PowerShell to enumerate a specific Registry key", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of reg.exe with command-line arguments."}], "Screenshots": {"RSA-13-1.png": "Telemetry showing execution of reg.exe and command-line arguments", "": ""}}, "17.A.1": {"Procedure": "Empire: 'reg query' via PowerShell to enumerate a specific Registry key", "DetectionCategories": [{"Telemetry": "Telemetry showed reg.exe executing with command-line arguments."}], "Screenshots": {"RSA-17-1.png": "Telemetry showing reg.exe execution", "": ""}}}}, "T1134": {"TechniqueName": "Access Token Manipulation", "TacticGroup": "Defense Evasion, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"3.A.1": {"Procedure": "Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "5.B.1": {"Procedure": "Cobalt Strike: Built-in token theft capability executed to change user context to George", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1088": {"TechniqueName": "Bypass User Account Control", "TacticGroup": "Defense Evasion, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"3.A.1": {"Procedure": "Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure, though an alert was created for PowerShell with the -enc command-line argument."}], "Screenshots": {"RSA-03-2.png": "Alert for powershell.exe execution with encoded command-line arguments (does not count as a detection)", "": ""}}, "14.A.1": {"Procedure": "Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1055": {"TechniqueName": "Process Injection", "TacticGroup": "Defense Evasion, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"3.C.1": {"Procedure": "Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe", "DetectionCategories": [{"Telemetry": "Telemetry showed powershell.exe creating a remote thread into cmd.exe."}], "Screenshots": {"RSA-03-2.png": "Telemetry showing powershell.exe creating a remote thread into cmd.exe", "": ""}}, "5.A.1": {"Procedure": "Cobalt Strike: Credential dump capability involved process injection into lsass", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "5.A.2": {"Procedure": "Cobalt Strike: Hash dump capability involved process injection into lsass.exe", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "8.D.1": {"Procedure": "Cobalt Strike: Screen capture capability involved process injection into explorer.exe", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure, though a floating code \\\"IIOC\\\" module alerted with a elevated risk score for DLL injection. There was no telemetry available for the processes that were injected to verify its relation this procedure."}], "Screenshots": {"RSA-08-4.png": "Floating Code module generated from DLL injection showing introspection into the module's characteristics (does not count as a detection)", "": ""}}}}, "T1018": {"TechniqueName": "Remote System Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"4.A.1": {"Procedure": "Cobalt Strike: 'net group \"Domain Controllers\" /domain' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe running net.exe with command-line arguments."}], "Screenshots": {"RSA-04-1.png": "Telemetry showing net.exe with command-line arguments", "": ""}}, "4.A.2": {"Procedure": "Cobalt Strike: 'net group \"Domain Computers\" /domain' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe running net.exe with command-line arguments."}], "Screenshots": {"RSA-04-1.png": "Telemetry showing net.exe with command-line arguments", "": ""}}, "13.A.1": {"Procedure": "Empire: 'net group \"Domain Computers\" /domain' via PowerShell", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of net.exe with command-line arguments."}], "Screenshots": {"RSA-13-1.png": "Telemetry showing execution of net.exe and command-line arguments", "": ""}}}}, "T1049": {"TechniqueName": "System Network Connections Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"4.C.1": {"Procedure": "Cobalt Strike: 'netstat -ano' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe running netstat.exe with command-line arguments."}], "Screenshots": {"RSA-04-1.png": "Telemetry showing netstat.exe with command-line arguments", "": ""}}, "12.E.1.12": {"Procedure": "Empire: WinEnum module included enumeration of established network connections", "DetectionCategories": [{"Telemetry": "Telemetry showed powershell.exe executing netstat.exe with command-line arguments."}], "Screenshots": {"RSA-12-3.png": "Telemetry showing netstat.exe with command-line arguments", "": ""}}, "13.B.1": {"Procedure": "Empire: 'net use' via PowerShell", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of net.exe with command-line arguments."}], "Screenshots": {"RSA-13-1.png": "Telemetry showing execution of net.exe and command-line arguments", "": ""}}, "13.B.2": {"Procedure": "Empire: 'netstat -ano' via PowerShell", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure due to event suppression (previously detected)."}], "Screenshots": {"": ""}}}}, "T1003": {"TechniqueName": "Credential Dumping", "TacticGroup": "Credential Access", "PrimaryEnabling": "Primary", "Steps": {"5.A.1": {"Procedure": "Cobalt Strike: Built-in Mimikatz credential dump capability executed", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "5.A.2": {"Procedure": "Cobalt Strike: Built-in hash dump capability executed", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1026": {"TechniqueName": "Multiband Communication", "TacticGroup": "Command and Control", "PrimaryEnabling": "Primary", "Steps": {"6.B.1": {"Procedure": "Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1076": {"TechniqueName": "Remote Desktop Protocol", "TacticGroup": "Lateral Movement", "PrimaryEnabling": "Primary", "Steps": {"6.C.1": {"Procedure": "Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe connecting to 10.0.0.5 (Conficker) over port 3389."}], "Screenshots": {"RSA-06-3.png": "Telemetry showing cmd.exe connecting over port 3389 (RDP) to 10.0.0.5 (Conficker)", "": ""}}, "10.B.1": {"Procedure": "RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "20.A.1": {"Procedure": "RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1136": {"TechniqueName": "Create Account", "TacticGroup": "Persistence", "PrimaryEnabling": "Primary", "Steps": {"7.A.1": {"Procedure": "Added user Jesse to Conficker (10.0.0.5) through RDP connection", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1061": {"TechniqueName": "Graphical User Interface", "TacticGroup": "Execution", "PrimaryEnabling": "Primary", "Steps": {"7.A.1": {"Procedure": "Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1105": {"TechniqueName": "Remote File Copy", "TacticGroup": "Command and Control, Lateral Movement", "PrimaryEnabling": "Primary", "Steps": {"7.B.1": {"Procedure": "Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)", "DetectionCategories": [{"Telemetry": "Telemetry showed file write of updater.dll."}], "Screenshots": {"RSA-07-1.png": "Telemetry showing file write event of updater.dll", "": ""}}, "14.A.1": {"Procedure": "Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080."}], "Screenshots": {"RSA-14-1.png": "Telemetry showing decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability)", "": ""}}, "16.E.1": {"Procedure": "Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)", "DetectionCategories": [{"Telemetry": "Telemetry showed file write of autoupdate.vbs."}], "Screenshots": {"RSA-16-5.png": "Telemetry showing file write of autoupdate.vbs", "": ""}}, "16.G.1": {"Procedure": "Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "19.A.1": {"Procedure": "Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)", "DetectionCategories": [{"Telemetry": "Telemetry showed a write file event for recycler.exe."}], "Screenshots": {"RSA-19-1.png": "Telemetry showing file write of recycler.exe", "": ""}}}}, "T1053": {"TechniqueName": "Scheduled Task", "TacticGroup": "Execution, Persistence, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"7.C.1": {"Procedure": "Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)", "DetectionCategories": [{"Telemetry": "Telemetry showed the execution of schtasks.exe as well as the full command-line arguments."}], "Screenshots": {"RSA-07-2.png": "Telemetry showing the schtask.exe and command-line arguments", "": ""}}, "10.A.2": {"Procedure": "Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32", "DetectionCategories": [{"Telemetry": "Telemetry showed rundll32.exe executing updater.dll."}], "Screenshots": {"RSA-10-2.png": "Telemetry showing rundll32.exe executing updater.dll", "": ""}}}}, "T1083": {"TechniqueName": "File and Directory Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"8.A.1": {"Procedure": "Cobalt Strike: 'dir /s /b \"\\\\conficker\\wormshare\"' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing dir with command-line arguments."}], "Screenshots": {"RSA-08-1.png": "Telemetry showing cmd.exe executing dir with command-line arguments", "": ""}}, "8.A.2": {"Procedure": "Cobalt Strike: 'tree \"C:\\Users\\debbie\"' via cmd", "DetectionCategories": [{"Telemetry": "Telemetry showed cmd.exe executing tree with command-line arguments."}], "Screenshots": {"RSA-08-1.png": "Telemetry showing cmd.exe executing tree with command-line arguments", "": ""}}, "9.A.1": {"Procedure": "Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.E.1.4.1": {"Procedure": "Empire: WinEnum module included enumeration of recently opened files", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.E.1.4.2": {"Procedure": "Empire: WinEnum module included enumeration of interesting files", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "16.K.1": {"Procedure": "Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "18.A.1": {"Procedure": "Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1056": {"TechniqueName": "Input Capture", "TacticGroup": "collection, Credential Access", "PrimaryEnabling": "Primary", "Steps": {"8.C.1": {"Procedure": "Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure, though a floating code \\\"IIOC\\\" module alerted with a elevated risk score for DLL injection. An analyst could explore the module and observe the keylogger aggressor script, but this only showed that there is a potential capability of a keylogger, not that execution occurred."}], "Screenshots": {"RSA-08-2.png": "Floating Code module output showing keylogger aggressor script (does not count as a detection)", "RSA-08-3.png": "Floating Code module output showing keylogger key definitions (does not count as a detection)", "": ""}}, "15.A.1": {"Procedure": "Empire: Built-in keylogging module executed to capture keystrokes of user Bob", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1010": {"TechniqueName": "Application Window Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"8.C.1": {"Procedure": "Cobalt Strike: Keylogging capability included residual enumeration of application windows", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "15.A.1": {"Procedure": "Empire: Built-in keylogging module included residual enumeration of application windows", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1113": {"TechniqueName": "Screen Capture", "TacticGroup": "Collection", "PrimaryEnabling": "Primary", "Steps": {"8.D.1": {"Procedure": "Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure, though a floating code \\\"IIOC\\\" module alerted with a elevated risk score for DLL injection. An analyst could explore the module and observe multiple components related to jpegs, which may be related to screenshots, but does not show that execution occurred."}], "Screenshots": {"RSA-08-4.png": "Floating Code module generated from DLL injection showing multiple jpeg components (does not count as a detection)", "": ""}}}}, "T1039": {"TechniqueName": "Data from Network Shared Drive", "TacticGroup": "collection", "PrimaryEnabling": "Primary", "Steps": {"9.B.1": {"Procedure": "Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "18.B.1": {"Procedure": "Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1041": {"TechniqueName": "Exfiltration Over Command and Control Channel", "TacticGroup": "Exfiltration", "PrimaryEnabling": "Primary", "Steps": {"9.B.1": {"Procedure": "Cobalt Strike: Download capability exfiltrated data through existing C2 channel", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1078": {"TechniqueName": "Valid Accounts", "TacticGroup": "Defense Evasion, Persistence, Privilege Escalation, Initial Access", "PrimaryEnabling": "Primary", "Steps": {"10.B.1": {"Procedure": "RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse", "DetectionCategories": [{"Telemetry": "Telemetry showed \\\"unregmp2.exe /FirstLogon\\\" (associated with user logon) as well as the user name \\\"Jesse J\\\" within Machine Properties."}], "Screenshots": {"RSA-10-3.png": "Telemetry showing \\\"unregmp2.exe /FirstLogon\\\" (associated with user logon)", "RSA-10-4.png": "Telemetry showing user name \\\"Jesse J\\\" within Machine Properties", "": ""}}, "16.B.1": {"Procedure": "Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick", "DetectionCategories": [{"Telemetry": "Telemetry showed a logon attempt via net.exe and command-line arguments using valid credentials of user Kmitnick."}], "Screenshots": {"RSA-16-2.png": "Telemetry showing logon attempts via net.exe using valid credentials of user Kmitnick", "": ""}}, "16.D.1": {"Procedure": "Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick", "DetectionCategories": [{"Telemetry": "Telemetry showed a process tree containing a logon attempt via net.exe and command-line arguments using valid credentials of user Kmitnick."}], "Screenshots": {"RSA-16-4.png": "Telemetry showing logon attempts via net.exe using valid credentials of user Kmitnick", "": ""}}}}, "T1086": {"TechniqueName": "PowerShell", "TacticGroup": "Execution", "PrimaryEnabling": "Enabling", "Steps": {"11.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.A.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.D.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.E.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.F.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.F.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.G.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.G.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "13.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "13.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "13.B.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "13.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "15.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.H.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.I.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.J.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.K.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.L.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "17.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "17.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "17.B.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "17.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "18.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "18.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "19.D.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "19.D.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}}}, "T1032": {"TechniqueName": "Standard Cryptographic Protocol", "TacticGroup": "Command and Control", "PrimaryEnabling": "Primary", "Steps": {"11.B.1": {"Procedure": "Empire: Encrypted C2 channel established using HTTPS", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection over port 443 and to letsencrypt.org (no protocol was identified for this traffic)."}], "Screenshots": {"RSA-11-2.png": "Telemetry showing network connections, including over port 443 (does not count as a detection)", "": ""}}}}, "T1201": {"TechniqueName": "Password Policy Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"12.E.1.3": {"Procedure": "Empire: WinEnum module included enumeration of password policy information", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1115": {"TechniqueName": "Clipboard Data", "TacticGroup": "collection", "PrimaryEnabling": "Primary", "Steps": {"12.E.1.5": {"Procedure": "Empire: WinEnum module included enumeration of clipboard contents", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1135": {"TechniqueName": "Network Share Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"12.E.1.9.1": {"Procedure": "Empire: WinEnum module included enumeration of available shares", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.E.1.9.2": {"Procedure": "Empire: WinEnum module included enumeration of mapped network drives", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1063": {"TechniqueName": "Security Software Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"12.E.1.10.1": {"Procedure": "Empire: WinEnum module included enumeration of AV solutions", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.E.1.10.2": {"Procedure": "Empire: WinEnum module included enumeration of firewall rules", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1081": {"TechniqueName": "Credentials in Files", "TacticGroup": "Credential Access", "PrimaryEnabling": "Primary", "Steps": {"15.B.1": {"Procedure": "Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1110": {"TechniqueName": "Brute Force", "TacticGroup": "Credential Access", "PrimaryEnabling": "Primary", "Steps": {"16.A.1": {"Procedure": "Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users\u00a0Kmitnick, Bob, and Frieda", "DetectionCategories": [{"Telemetry": "Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying."}], "Screenshots": {"RSA-16-1.png": "Telemetry showing logon attempts via net.exe and command-line arguments", "": ""}}, "16.B.1": {"Procedure": "Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying", "DetectionCategories": [{"Telemetry": "Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying, eventually resulting in a successful logon."}], "Screenshots": {"RSA-16-2.png": "Telemetry showing logon attempts via net.exe and command-line arguments", "": ""}}}}, "T1077": {"TechniqueName": "Windows Admin Shares", "TacticGroup": "Lateral Movement", "PrimaryEnabling": "Primary", "Steps": {"16.A.1": {"Procedure": "Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)", "DetectionCategories": [{"Telemetry": "Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments."}], "Screenshots": {"RSA-16-1.png": "Telemetry showing logon attempts targeting ADMIN$ via net.exe and command-line arguments", "": ""}}, "16.B.1": {"Procedure": "Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)\u00a0", "DetectionCategories": [{"Telemetry": "Telemetry showed a logon attempt via net.exe and command-line arguments targeting ADMIN$ via net.exe and command-line arguments."}], "Screenshots": {"RSA-16-2.png": "Telemetry showing logon attempt targeting ADMIN$ via net.exe and command-line arguments", "": ""}}, "16.D.1": {"Procedure": "Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)", "DetectionCategories": [{"Telemetry": "Telemetry showed a logon attempt via net.exe and command-line arguments targeting C$ via net.exe and command-line arguments."}], "Screenshots": {"RSA-16-4.png": "Telemetry showing logon attempt targeting C$ via net.exe and command-line arguments", "": ""}}}}, "T1126": {"TechniqueName": "Network Share Connection Removal", "TacticGroup": "Defense Evasion", "PrimaryEnabling": "Primary", "Steps": {"16.C.1": {"Procedure": "Empire: 'net use /delete' via PowerShell", "DetectionCategories": [{"Telemetry": "Telemetry showed net.exe execution and command-line arguments."}], "Screenshots": {"RSA-16-3.png": "Telemetry showing net.exe execution and command-line arguments", "": ""}}}}, "T1036": {"TechniqueName": "Masquerading", "TacticGroup": "Defense Evasion", "PrimaryEnabling": "Primary", "Steps": {"16.I.1": {"Procedure": "Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of sc.exe to create a new service called AdobeUpdater with a binPath set to run cmd.exe and execute update.vbs as well as set the service description. An analyst can use this information to determine the service is masquerading."}], "Screenshots": {"RSA-16-7.png": "Telemetry showing execution of sc.exe to create the AdobeUpdater service and set its description", "": ""}}, "19.A.1": {"Procedure": "Empire: File dropped to disk is a renamed copy of the WinRAR binary", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure.[RS30]"}], "Screenshots": {"": ""}}, "19.B.1": {"Procedure": "Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of recycler.exe with full command-line arguments, including -hp flag, indicating compression and encryption was used with a WinRAR utility.[RS4]"}], "Screenshots": {"RSA-19-1.png": "Telemetry showing execution of recycler.exe with command-line arguments indicating it is WinRAR", "": ""}}}}, "T1050": {"TechniqueName": "New Service", "TacticGroup": "Persistence, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"16.I.1": {"Procedure": "Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of sc.exe to create a new service called AdobeUpdater with a binPath set to run cmd.exe and execute update.vbs."}], "Screenshots": {"RSA-16-7.png": "Telemetry showing execution of sc.exe to create the AdobeUpdater service", "": ""}}}}, "T1035": {"TechniqueName": "Service Execution", "TacticGroup": "Execution", "PrimaryEnabling": "Primary", "Steps": {"16.L.1": {"Procedure": "Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of sc.exe to start the AdobeUpdater service on 10.0.0.4 (Creeper). Telemetry on Creeper showed the execution of cmd.exe to run update.vbs."}], "Screenshots": {"RSA-16-9.png": "Telemetry showing the execution of sc.exe to start the AdobeUpdater service on 10.0.0.4 (Creeper)", "RSA-16-8.png": "Telemetry showing the execution of update.vbs on 10.0.0.4 (Creeper)", "": ""}}}}, "T1222": {"TechniqueName": "File Permissions Modification", "TacticGroup": "Defense Evasion", "PrimaryEnabling": "Primary", "Steps": {"17.B.1": {"Procedure": "Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe", "DetectionCategories": [{"Telemetry": "Telemetry showed takeown.exe execution to change the file permissions on magnify.exe."}], "Screenshots": {"RSA-17-1.png": "Telemetry showing takeown.exe execution with magnify.exe in command-line arguments", "": ""}}, "17.B.2": {"Procedure": "Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe", "DetectionCategories": [{"Telemetry": "Telemetry showed icacls.exe execution to change permissions on magnify.exe granting discretionary access to SYSTEM."}], "Screenshots": {"RSA-17-1.png": "Telemetry showing icacls.exe execution with magnify.exe in command-line arguments", "": ""}}}}, "T1015": {"TechniqueName": "Accessibility Features", "TacticGroup": "Persistence, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"17.C.1": {"Procedure": "Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe", "DetectionCategories": [{"Telemetry": "Telemetry showed a file write event on magnify.exe in the system directory. A search for \\\"cmd\\\" on CodeRed shows the hash value of magnify.exe matches cmd.exe."}], "Screenshots": {"RSA-17-1.png": "Telemetry showing file write to magnify.exe in the system directory", "RSA-17-2.png": "Magnify.exe hash matches cmd.exe (top two hashes in Tracking pane, file names and full hash values cut off)", "": ""}}, "20.A.1": {"Procedure": "magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of magnify.exe."}], "Screenshots": {"RSA-20-1.png": "Telemetry showing magnify.exe execution", "": ""}}}}, "T1074": {"TechniqueName": "Data Staged", "TacticGroup": "collection", "PrimaryEnabling": "Primary", "Steps": {"18.B.1": {"Procedure": "Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\\$Recycle.Bin) on CodeRed (10.0.1.5)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1002": {"TechniqueName": "Data Compressed", "TacticGroup": "Exfiltration", "PrimaryEnabling": "Primary", "Steps": {"19.B.1": {"Procedure": "Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of recycler.exe with full command-line arguments, including -hp flag, indicating compression and encryption was used with a WinRAR utility.[RS3]"}], "Screenshots": {"RSA-19-1.png": "Telemetry showing execution of recycler.exe with command-line arguments", "": ""}}}}, "T1022": {"TechniqueName": "Data Encrypted", "TacticGroup": "Exfiltration", "PrimaryEnabling": "Primary", "Steps": {"19.B.1": {"Procedure": "Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of recycler.exe with full command-line arguments, including -hp flag, indicating compression and encryption was used with a WinRAR utility.[RS3]"}], "Screenshots": {"RSA-19-1.png": "Telemetry showing execution of recycler.exe with command-line arguments", "": ""}}}}, "T1048": {"TechniqueName": "Exfiltration Over Alternative Protocol", "TacticGroup": "Exfiltration", "PrimaryEnabling": "Primary", "Steps": {"19.C.1": {"Procedure": "Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel", "DetectionCategories": [{"Telemetry": "Telemetry showed the execution of ftp.exe with command-line arguments, including ftp.txt, for exfiltration. The contents of ftp.txt was not seen."}], "Screenshots": {"RSA-19-2.png": "Telemetry showing the execution ftp.exe", "": ""}}}}, "T1107": {"TechniqueName": "File Deletion", "TacticGroup": "Defense Evasion", "PrimaryEnabling": "Primary", "Steps": {"19.D.1": {"Procedure": "Empire: 'del C:\\\"$\"Recycle.bin\\old.rar'", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure. [RS2]"}], "Screenshots": {"RSA-19-3.png": "Master file table on 10.0.1.5 (CodeRed) shows old.rar listed under deleted files (does not count as a detection)", "": ""}}, "19.D.2": {"Procedure": "Empire: 'del recycler.exe'", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}} -------------------------------------------------------------------------------- /data/SentinelOne.1.APT3.1_Results.json: -------------------------------------------------------------------------------- 1 | {"T1204": {"TechniqueName": "User Execution", "TacticGroup": "Execution", "PrimaryEnabling": "Primary", "Steps": {"1.A.1": {"Procedure": "Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)", "DetectionCategories": [{"Telemetry": "Telemetry showed Resume Viewer.exe execution with subsequent file writes and execution."}, {"General Behavior": "A General Behavior alert was generated due to static analysis of the file through the DFI resulting in it being marked as suspicious, which generated a story (group ID) that subsequent linked events are tainted by."}], "Screenshots": {"S1-1.A.1-1.png": "Telemetry from process tree showing execution of Resume Viewer.exe", "S1-1.A.1-2.png": "General Behavior alert for execution of Resume Viewer.exe as a suspicious file", "": ""}}}}, "T1064": {"TechniqueName": "Scripting", "TacticGroup": "Defense Evasion, Execution", "PrimaryEnabling": "Primary", "Steps": {"1.A.1": {"Procedure": "Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing the pdfhelper.cmd script. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-1.B.1-1.png": "Telemetry from process tree showing the child cmd.exe process running the script pdfhelper.cmd (tainted by relationship to threat story)", "": ""}}, "11.A.1": {"Procedure": "Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)", "DetectionCategories": [{"Telemetry": "Telemetry showed wscript.exe executing autoupdate.vbs which then executed powershell.exe with an encoded PowerShell script."}, {"General Behavior": "A General Behavior alert was generated for the execution of autoupdate.vbs that was listed as an active threat."}], "Screenshots": {"S1-11.A.1-2.png": "Telemetry showing wscript.exe and powershell.exe ", "S1-11.A.1-1.png": "General Behavior alert for execution of autoupdate.vbs listed as an active threat", "": ""}}, "12.E.1": {"Procedure": "Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed execution of a PowerShell script with follow-on enumeration activity that coincided with the execution of the WinEnum module. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-12.E.1-1.png": "Telemetry showing encoded PowerShell script (tainted Group ID not shown but was the search parameter)", "": ""}}}}, "T1085": {"TechniqueName": "Rundll32", "TacticGroup": "Defense Evasion, Execution", "PrimaryEnabling": "Primary", "Steps": {"1.A.1": {"Procedure": "Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed rundll32.exe executing as a result of Resume Viewer.exe running. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-1.A.1-1.png": "Telemetry from process tree showing rundll32.exe (tainted by relationship to threat story)", "": ""}}}}, "T1060": {"TechniqueName": "Registry Run Keys / Startup Folder", "TacticGroup": "Persistence", "PrimaryEnabling": "Primary", "Steps": {"1.B.1": {"Procedure": "Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry on actions performed from Resume Viewer.exe showed autoupdate.bat being written to the Startup Folder. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-1.B.1-1.png": "Telemetry showing autoupdate.bat write to the Startup folder (tainted by relationship to threat story)", "": ""}}, "10.A.1": {"Procedure": "Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of autoupdate.bat from the Startup folder for persistence. The telemetry was associated to a new story (Group ID) but was not marked as malicious or tainted because it is not associated with an alert."}], "Screenshots": {"S1-10.A.1-2.png": "Telemetry showing execution of autoupdate.bat from the Startup folder", "S1-10.A.1-3.png": "Group ID query showing both autoupdate.bat and updater.dll persistence execution", "": ""}}}}, "T1043": {"TechniqueName": "Commonly Used Port", "TacticGroup": "Command and Control", "PrimaryEnabling": "Primary", "Steps": {"1.C.1": {"Procedure": "Cobalt Strike: C2 channel established using port 53", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure.[SO97]"}], "Screenshots": {"": ""}}, "6.B.1": {"Procedure": "Cobalt Strike: C2 channel modified to use port 80", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed a port 80 connection to 192.168.0.4 (C2 server) that was associated with the rundll32 parent process. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-6.B.1-1.png": "Telemetry showing port 80 connection to 192.168.0.4 (C2 server) (tainted by relationship to rundll32 parent process linked by Group ID but not shown in this view)", "": ""}}, "11.B.1": {"Procedure": "Empire: C2 channel established using port 443", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed network connections to 192.168.0.5 (C2 server) over TCP port 443. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-11.B.1-1.png": "Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over TCP port 443 (Group ID tainted the event but was not shown in this view)", "": ""}}, "14.A.1": {"Procedure": "Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed network connections over port 8080. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-14.A.1-2.png": "Telemetry showing network connections over port 8080 in the filter (tainted by relationship to threat story but Group ID not shown in this view)", "": ""}}}}, "T1071": {"TechniqueName": "Standard Application Layer Protocol", "TacticGroup": "Command and Control", "PrimaryEnabling": "Primary", "Steps": {"1.C.1": {"Procedure": "Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed DNS requests to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-1.C.1-1.png": "Telemetry showing DNS requests to the C2 domain (tainted by relationship to threat story)", "": ""}}, "6.B.1": {"Procedure": "Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure.[SO96]"}], "Screenshots": {"": ""}}, "11.B.1": {"Procedure": "Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure.[SO20]"}], "Screenshots": {"S1-11.B.1-1.png": "Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over TCP port 443 (does not count as a detection)", "": ""}}, "14.A.1": {"Procedure": "Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1132": {"TechniqueName": "Data Encoding", "TacticGroup": "Command and Control", "PrimaryEnabling": "Primary", "Steps": {"1.C.1": {"Procedure": "Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed DNS requests with encoded content to freegoogleadsenseinfo.com (the C2 domain). The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-1.C.1-2.png": "Telemetry showing stream of DNS requests with encoded data", "S1-1.C.1-1.png": "Telemetry showing DNS query for freegoogleadsenseinfo.com (C2 domain) (tainted by relationship to threat story)", "": ""}}}}, "T1059": {"TechniqueName": "Command-Line Interface", "TacticGroup": "Execution", "PrimaryEnabling": "Enabling", "Steps": {"2.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.A.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.C.2 ": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.D.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.D.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.E.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.E.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.F.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.F.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.F.3": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.G.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.G.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "2.H.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "4.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "4.A.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "4.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "4.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "6.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "7.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "8.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "8.A.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.F.1": {"Procedure": "Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick\u00a0", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe execution of autoupdate.vbs. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-16.F.1-1.png": "Telemetry showing cmd.exe launching autoupdate.vbs (tainted by relationship to threat story)", "": ""}}}}, "T1016": {"TechniqueName": "System Network Configuration Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.A.1": {"Procedure": "Cobalt Strike: 'ipconfig /all' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-2.A.1-3.png": "Telemetry showing ipconfig.exe with command-line arguments (tainted by relationship to threat story)", "": ""}}, "2.A.2": {"Procedure": "Cobalt Strike: 'arp -a' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing arp.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-2.A.2-1.png": "Telemetry showing arp.exe with command-line arguments (tainted by relationship to threat story)", "": ""}}, "4.B.1": {"Procedure": "Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing netsh.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-4.A.1-2.png": "Telemetry showing netsh.exe with command-line arguments (tainted by relationship to threat story)", "": ""}}, "12.A.1": {"Procedure": "Empire: 'route print' via PowerShell", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed powershell.exe executing route.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-12.A.1-3.png": "Telemetry showing route.exe with command-line arguments (tainted Group ID not shown but was the search parameter)", "S1-12.A.1-1.png": "Threat story showing partial tree of activity from the initial compromise alert", "S1-12.A.1-2.png": "Continued threat story showing initial compromise alert and powershell.exe\u00a0tainting route.exe", "": ""}}, "12.A.2": {"Procedure": "Empire: 'ipconfig /all' via PowerShell", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-12.A.1-3.png": "Telemetry showing ipconfig.exe with command-line arguments (tainted Group ID not shown but was the search parameter)", "S1-12.A.1-1.png": "Threat story showing initial compromise alert and powershell.exe\u00a0tainting ipconfig.exe", "": ""}}, "12.E.1.11": {"Procedure": "Empire: WinEnum module included enumeration of network adapters", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed powershell.exe executing WMI queries that indicated network adapter and configuration information was queried. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-12.E.1-2.png": "Telemetry showing powershell.exe executing WMI queries (tainted Group ID not shown but was the search parameter)", "S1-12.E.1-3.png": "Additional telemetry showing powershell.exe WMI queries for network adapter and configuration information", "": ""}}}}, "T1033": {"TechniqueName": "System Owner/User Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.B.1": {"Procedure": "Cobalt Strike: 'echo' via cmd to enumerate specific environment variables", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-2.A.1-4.png": "Telemetry showing echo with command-line arguments (tainted by relationship to threat story)", "": ""}}, "12.B.1": {"Procedure": "Empire: 'whoami /all /fo list' via PowerShell", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed powershell.exe executing whoami.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-12.A.1-3.png": "Telemetry showing whoami.exe with command-line arguments (tainted Group ID not shown but was the search parameter)", "S1-12.A.1-2.png": "Continued threat story showing initial compromise alert and powershell.exe\u00a0tainting whoami.exe", "": ""}}, "12.E.1.1": {"Procedure": "Empire: WinEnum module included enumeration of user information", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "20.B.1": {"Procedure": "Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)", "DetectionCategories": [{"Enrichment": "Enrichment showed execution of the whoami command (enriched with description \\\"whoami - displays logged on user information\\\"). Execution of whoami was associated to the story (Group ID) created from the execution of magnify.exe, but was not considered tainted because an alert was not generated when magnify.exe was executed."}], "Screenshots": {"S1-20.B.1-1.png\n": "Enrichment of whoami command (displays logged on user information)", "": ""}}}}, "T1106": {"TechniqueName": "Execution through API", "TacticGroup": "Execution", "PrimaryEnabling": "Enabling", "Steps": {"2.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "3.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "8.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "8.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "8.D.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "9.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "9.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.E.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}}}, "T1057": {"TechniqueName": "Process Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.C.1": {"Procedure": "Cobalt Strike: 'ps' (Process status) via Win32 APIs", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "2.C.2 ": {"Procedure": "Cobalt Strike: 'tasklist /v' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-2.A.1-5.png": "Telemetry showing tasklist.exe with command-line arguments (tainted by relationship to threat story)", "": ""}}, "3.B.1": {"Procedure": "Cobalt Strike: 'ps' (Process status) via Win32 APIs", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "8.B.1": {"Procedure": "Cobalt Strike: 'ps' (Process status) via Win32 APIs", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.C.1": {"Procedure": "Empire: 'qprocess *' via PowerShell", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed powershell.exe executing qprocess.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-12.A.1-3.png": "Telemetry showing qprocess.exe with command-line arguments (tainted Group ID not shown but was the search parameter)", "S1-12.A.1-1.png": "Threat story showing initial compromise alert and powershell.exe\u00a0tainting qprocess.exe", "": ""}}}}, "T1007": {"TechniqueName": "System Service Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.D.1": {"Procedure": "Cobalt Strike: 'sc query' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing sc.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-2.A.1-6.png": "Telemetry showing sc.exe with command-line arguments (tainted by relationship to threat story)", "": ""}}, "2.D.2": {"Procedure": "Cobalt Strike: 'net start' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-2.A.1-7.png": "Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)", "": ""}}, "12.D.1": {"Procedure": "Empire: 'net start' via PowerShell", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-12.A.1-3.png": "Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter)", "S1-12.A.1-1.png": "Threat story showing initial compromise alert and powershell.exe\u00a0tainting net.exe", "": ""}}, "12.E.1.8": {"Procedure": "Empire: WinEnum module included enumeration of services", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "16.H.1": {"Procedure": "Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed execution of sc.exe to query services on Creeper. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-16.H.1-1.png": "Telemetry showing execution of sc.exe to query services on Creeper (tainted by relationship to threat story)", "": ""}}, "16.J.1": {"Procedure": "Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed execution of sc.exe to query the AdobeUpdater service on Creeper. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-16.J.1-1.png": "Telemetry showing execution of sc.exe to query AdobeUpdater service on Creeper (tainted by relationship to threat story)", "": ""}}, "17.A.1": {"Procedure": "Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed reg.exe execution with command-line arguments indicating a check to see if terminal services was enabled. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-17.A.1-4.png": "Threat story graph showing telemetry of reg.exe with query for terminal server setting (tainted by prior lateral movement alert by Group ID)", "": ""}}}}, "T1082": {"TechniqueName": "System Information Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.E.1": {"Procedure": "Cobalt Strike: 'systeminfo' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-2.A.1-8.png": "Telemetry showing systeminfo.exe (tainted by relationship to threat story)", "": ""}}, "2.E.2": {"Procedure": "Cobalt Strike: 'net config workstation' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-2.A.1-9.png": "Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)", "": ""}}, "12.E.1.6.1": {"Procedure": "Empire: WinEnum module included enumeration of system information", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed powershell.exe executing WMI queries that indicated operating system information was queried. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-12.E.1-2.png": "Telemetry showing powershell.exe executing WMI queries (tainted Group ID not shown but was the search parameter)", "S1-12.E.1-3.png": "Additional telemetry showing powershell.exe WMI queries for operating system information", "": ""}}, "12.E.1.6.2": {"Procedure": "Empire: WinEnum module included enumeration of Windows update information", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1069": {"TechniqueName": "Permission Groups Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.F.1": {"Procedure": "Cobalt Strike: 'net localgroup administrators' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-2.A.1-10.png": "Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)", "": ""}}, "2.F.2": {"Procedure": "Cobalt Strike: 'net localgroup administrators /domain' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-2.A.1-11.png": "Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)", "": ""}}, "2.F.3": {"Procedure": "Cobalt Strike: 'net group \"Domain Admins\" /domain' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-2.A.1-12.png": "Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)", "": ""}}, "12.E.1.2": {"Procedure": "Empire: WinEnum module included enumeration of AD group memberships", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.F.1": {"Procedure": "Empire: 'net group \"Domain Admins\" /domain' via PowerShell", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-12.F.1-3.png": "Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter)", "": ""}}, "12.F.2": {"Procedure": "Empire: 'net\u00a0localgroup\u00a0administrators' via PowerShell", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-12.F.1-1.png": "Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)", "": ""}}}}, "T1087": {"TechniqueName": "Account Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.G.1": {"Procedure": "Cobalt Strike: 'net user /domain' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-2.A.1-13.png": "Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)", "": ""}}, "2.G.2": {"Procedure": "Cobalt Strike: 'net user george /domain' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-2.A.1-14.png": "Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)", "": ""}}, "7.A.1": {"Procedure": "Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.G.1": {"Procedure": "Empire: 'net user' via PowerShell", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-12.F.1-3.png": "Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter)", "S1-12.F.1-1.png": "Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)", "S1-12.F.1-2.png": "Continued threat story showing related processes", "": ""}}, "12.G.2": {"Procedure": "Empire: 'net user /domain' via PowerShell", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-12.F.1-3.png": "Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter)", "S1-12.F.1-1.png": "Threat story showing initial compromise alert and powershell.exe\u00a0tainting net.exe", "S1-12.F.1-2.png": "Continued threat story showing initial compromise alert and powershell.exe\u00a0tainting net.exe", "": ""}}}}, "T1012": {"TechniqueName": "Query Registry", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"2.H.1": {"Procedure": "Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-2.H.1-1.png": "Telemetry showing reg.exe with command-line arguments (tainted by relationship to threat story)", "": ""}}, "6.A.1": {"Procedure": "Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-6.A.1-1.png": "Telemetry showing cmd.exe executing reg with command-line arguments (tainted by relationship to rundll32 parent process linked by Group ID but not shown in this view)", "": ""}}, "12.E.1.7": {"Procedure": "Empire: WinEnum module included enumeration of system information via a Registry query", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "13.C.1": {"Procedure": "Empire:\u00a0'reg query' via PowerShell to enumerate a specific Registry key", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed execution of reg.exe with command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-13.A.1-1.png": "Telemetry showing execution of reg.exe and command-line arguments (tainted Group ID not shown but was the search parameter)", "": ""}}, "17.A.1": {"Procedure": "Empire: 'reg query' via PowerShell to enumerate a specific Registry key", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed reg.exe execution with command-line arguments. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-17.A.1-4.png": "Threat story graph showing telemetry of reg.exe executing (tainted by prior lateral movement alert by Group ID)", "": ""}}}}, "T1134": {"TechniqueName": "Access Token Manipulation", "TacticGroup": "Defense Evasion, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"3.A.1": {"Procedure": "Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "5.B.1": {"Procedure": "Cobalt Strike: Built-in token theft capability executed to change user context to George", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1088": {"TechniqueName": "Bypass User Account Control", "TacticGroup": "Defense Evasion, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"3.A.1": {"Procedure": "Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level", "DetectionCategories": [{"Telemetry": "Telemetry showed process integrity levels changing from medium to high.[SO11]"}], "Screenshots": {"": ""}}, "14.A.1": {"Procedure": "Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed process integrity levels changing from medium to high (tainted by parent alert).[SO4]"}], "Screenshots": {"S1-14.A.1-1.png": "Telemetry showing process integrity level change from medium to high (tainted by relationship to threat story but Group ID not shown in this view)", "": ""}}}}, "T1055": {"TechniqueName": "Process Injection", "TacticGroup": "Defense Evasion, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"3.C.1": {"Procedure": "Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed powershell.exe allocating memory, writing to memory space, and invoking a thread into cmd.exe (tainted by association with parent alert for powershell.exe process executed by svchost.exe)."}], "Screenshots": {"S1-3.C.1-2.png": "Telemetry showing powershell.exe injecting into cmd.exe (Group ID tainted this event but was not shown in this view)", "": ""}}, "5.A.1": {"Procedure": "Cobalt Strike: Credential dump capability involved process injection into lsass", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "5.A.2": {"Procedure": "Cobalt Strike: Hash dump capability involved process injection into lsass.exe", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed powershell.exe injecting into svchost.exe (not counted for detection) then invoking a remote thread into lsass.exe. Powershell.exe was listed as the source of the remote thread into lsass.exe instead of svchost.exe because the alert on powershell.exe came before other events and therefore had increased precedence. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-5.A.2-1.png": "Telemetry showing powershell.exe invoking a remote thread into lsass.exe (Group ID tainted this event but was not shown in this view)", "": ""}}, "8.D.1": {"Procedure": "Cobalt Strike: Screen capture capability involved process injection into explorer.exe", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed the sequence of events related to process injection from powershell.exe into explorer.exe. The capability associated the process with the highest threat to the event (powershell.exe) instead of cmd.exe (the expected source of the injection) because it had an alert associated with it previously. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-8.D.1-1.png": "Telemetry showing powershell.exe injecting into explorer.exe (Group ID tainted this event but was not shown in this view)", "": ""}}}}, "T1018": {"TechniqueName": "Remote System Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"4.A.1": {"Procedure": "Cobalt Strike: 'net group \"Domain Controllers\" /domain' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-4.A.1-1.png": "Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)", "": ""}}, "4.A.2": {"Procedure": "Cobalt Strike: 'net group \"Domain Computers\" /domain' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-4.A.1-2.png": "Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)", "S1-4.A.1-3.png": "Event tree showing net.exe (tainted by launch from process lineage previously identified as malicious)", "": ""}}, "13.A.1": {"Procedure": "Empire: 'net group \"Domain Computers\" /domain' via PowerShell", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed execution of net.exe with command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-13.A.1-1.png": "Telemetry showing execution of net.exe and command-line arguments (tainted Group ID not shown but was the search parameter)", "": ""}}}}, "T1049": {"TechniqueName": "System Network Connections Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"4.C.1": {"Procedure": "Cobalt Strike: 'netstat -ano' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing netstat.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-4.A.1-2.png": "Telemetry showing netstat.exe with command-line arguments (tainted by relationship to threat story)", "": ""}}, "12.E.1.12": {"Procedure": "Empire: WinEnum module included enumeration of established network connections", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed powershell.exe executing netstat.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-12.E.1-1.png": "Telemetry showing netstat.exe with command-line arguments (tainted Group ID not shown but was the search parameter)", "": ""}}, "13.B.1": {"Procedure": "Empire: 'net use' via PowerShell", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed execution of net.exe with command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-13.A.1-1.png": "Telemetry showing execution of net.exe and command-line arguments (tainted Group ID not shown but was the search parameter)", "": ""}}, "13.B.2": {"Procedure": "Empire: 'netstat -ano' via PowerShell", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed execution of netstat.exe with command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-13.A.1-1.png": "Telemetry showing execution of netstat.exe and command-line arguments (tainted Group ID not shown but was the search parameter)", "": ""}}}}, "T1003": {"TechniqueName": "Credential Dumping", "TacticGroup": "Credential Access", "PrimaryEnabling": "Primary", "Steps": {"5.A.1": {"Procedure": "Cobalt Strike: Built-in Mimikatz credential dump capability executed", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure.[SO1]"}], "Screenshots": {"": ""}}, "5.A.2": {"Procedure": "Cobalt Strike: Built-in hash dump capability executed", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure.[SO1]"}], "Screenshots": {"": ""}}}}, "T1026": {"TechniqueName": "Multiband Communication", "TacticGroup": "Command and Control", "PrimaryEnabling": "Primary", "Steps": {"6.B.1": {"Procedure": "Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed port 80 connections to 192.168.0.4 (C2 server) and DNS requests for freegoogleadsenseinfo.com (C2 domain), which could indicate multiband communication. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-6.B.1-1.png": "Telemetry showing port 80 connection to 192.168.0.4 (C2 server)", "S1-1.C.1-1.png": "Telemetry showing DNS query to C2 domain (tainted by relationship to threat story shown in Group ID)", "": ""}}}}, "T1076": {"TechniqueName": "Remote Desktop Protocol", "TacticGroup": "Lateral Movement", "PrimaryEnabling": "Primary", "Steps": {"6.C.1": {"Procedure": "Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed a port 3389 connection. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-6.C.1-1.png": "Telemetry showing port 3389 connection (tainted by relationship to threat story shown in Group ID)", "": ""}}, "10.B.1": {"Procedure": "RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry from Nimda showed a TCP port 3389 connection from 10.0.1.6 (Nimda) to 10.0.0.5 (Conficker). The rundll32.exe process (PID 184) that was used to load updater.dll was used to proxy the RDP connection to Conficker. The telemetry was tainted by the activity generated during the privilege escalation step because it was associated with the same story (Group ID).\u00a0"}], "Screenshots": {"S1-10.B.1-1.png": "Telemetry showing connection over port 3389 to 10.0.0.5 (Conficker)", "S1-10.B.1-2.png": "Threat group identified as malicious, including rundll32.exe (PID 184) proxying the port 3389 connection (port 3389 connection not specifically shown in this view, but it identifies the rundll32.exe process tainting the connection by Group ID)", "": ""}}, "20.A.1": {"Procedure": "RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1136": {"TechniqueName": "Create Account", "TacticGroup": "Persistence", "PrimaryEnabling": "Primary", "Steps": {"7.A.1": {"Procedure": "Added user Jesse to Conficker (10.0.0.5) through RDP connection", "DetectionCategories": [{"Telemetry": "Telemetry showed the creation of the user Jesse which was noted from SAM Registry events."}], "Screenshots": {"S1-7.A.1-1.png": "Telemetry showing creation of user account Jesse", "": ""}}}}, "T1061": {"TechniqueName": "Graphical User Interface", "TacticGroup": "Execution", "PrimaryEnabling": "Primary", "Steps": {"7.A.1": {"Procedure": "Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1105": {"TechniqueName": "Remote File Copy", "TacticGroup": "Command and Control, Lateral Movement", "PrimaryEnabling": "Primary", "Steps": {"7.B.1": {"Procedure": "Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed file write of updater.dll. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-7.B.1-1.png": "Telemetry showing file write of updater.dll (tainted by relationship to threat story)", "": ""}}, "14.A.1": {"Procedure": "Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "16.E.1": {"Procedure": "Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed creation and file write events for autoupdate.vbs. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-16.E.1-1.png": "Telemetry showing file event for autoupdate.vbs (tainted by relationship to threat story but Group ID not shown in this view)", "S1-16.E.1-2.png": "Telemetry showing creation and writes to autoupdate.vbs", "": ""}}, "16.G.1": {"Procedure": "Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed creation of update.vbs on 10.0.0.4 (Creeper). The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-16.G.1-2.png": "Telemetry showing create file event of update.vbs on 10.0.0.4 (Creeper) (tainted by relationship to threat story but Group ID not shown in this view)", "": ""}}, "19.A.1": {"Procedure": "Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed file write of recycler.exe with hash value. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-19.A.1-1.png\n": "Telemetry showing file write of recycler.exe", "S1-19.A.1-2.png": "Telemetry exported from threat story showing recycler.exe file write tainted by prior activity because it was under the same Group ID", "": ""}}}}, "T1053": {"TechniqueName": "Scheduled Task", "TacticGroup": "Execution, Persistence, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"7.C.1": {"Procedure": "Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed execution of schtasks.exe and associated command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-7.C.1-1.png": "Telemetry showing schtask.exe and associated command-line arguments (tainted by relationship to threat story)", "": ""}}, "10.A.2": {"Procedure": "Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32", "DetectionCategories": [{"Telemetry": "Telemetry showed rundll32.exe executing updater.dll as part of the scheduled task persistence. The telemetry was associated with the execution of autoupdate.bat for persistence because it was associated with the same story (Group ID) but is not marked as malicious or tainted because it is not associated with an alert."}], "Screenshots": {"S1-10.A.2-2.png": "Telemetry showing rundll32.exe executing updater.dll", "S1-10.A.1-3.png": "Group ID query showing both autoupdate.bat and updater.dll persistence execution", "": ""}}}}, "T1083": {"TechniqueName": "File and Directory Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"8.A.1": {"Procedure": "Cobalt Strike: 'dir /s /b \"\\\\conficker\\wormshare\"' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing dir with command-line arguments. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-8.A.1-2.png": "Telemetry showing cmd.exe executing dir with command-line arguments (tainted by relationship to threat story)", "": ""}}, "8.A.2": {"Procedure": "Cobalt Strike: 'tree \"C:\\Users\\debbie\"' via cmd", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed cmd.exe executing tree with command-line arguments. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-8.A.1-3.png": "Telemetry showing cmd.exe executing tree with command-line arguments (tainted by relationship to threat story)", "": ""}}, "9.A.1": {"Procedure": "Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.E.1.4.1": {"Procedure": "Empire: WinEnum module included enumeration of recently opened files", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.E.1.4.2": {"Procedure": "Empire: WinEnum module included enumeration of interesting files", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "16.K.1": {"Procedure": "Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry": "Telemetry showed a remote access event on update.vbs.[SO91]"}], "Screenshots": {"": ""}}, "18.A.1": {"Procedure": "Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1056": {"TechniqueName": "Input Capture", "TacticGroup": "collection, Credential Access", "PrimaryEnabling": "Primary", "Steps": {"8.C.1": {"Procedure": "Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed GetAsyncKeyStateApi, which was indicative of keylogging. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID).[SO3]"}], "Screenshots": {"S1-8.C.1-2.png": "Telemetry showing GetAsyncKeyStateApi (Group ID tainted the event but was not shown in this view)", "S1-8.C.1-1.png": "Telemetry showing process injection into explorer.exe (does not count as a detection)", "": ""}}, "15.A.1": {"Procedure": "Empire: Built-in keylogging module executed to capture keystrokes of user Bob", "DetectionCategories": [{"Enrichment,Tainted": "The capability enriched data collected as keylogging behavior that was not visible through the standard interface during the evaluation. [SO5]"}], "Screenshots": {"S1-15.A.1-1.png": "Enrichment of use of GetAsyncKeyStateApi tagged as a keylogger (tainted by relationship to threat story but Group ID not shown in this view)", "": ""}}}}, "T1010": {"TechniqueName": "Application Window Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"8.C.1": {"Procedure": "Cobalt Strike: Keylogging capability included residual enumeration of application windows", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "15.A.1": {"Procedure": "Empire: Built-in keylogging module included residual enumeration of application windows", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1113": {"TechniqueName": "Screen Capture", "TacticGroup": "Collection", "PrimaryEnabling": "Primary", "Steps": {"8.D.1": {"Procedure": "Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1039": {"TechniqueName": "Data from Network Shared Drive", "TacticGroup": "collection", "PrimaryEnabling": "Primary", "Steps": {"9.B.1": {"Procedure": "Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)", "DetectionCategories": [{"Telemetry": "Telemetry showed remote file access behavior for the .vsdx file from the network shared drive."}], "Screenshots": {"S1-9.B.1-1.png": "Telemetry showing .vsdx file access from WormShare on the network shared drive", "": ""}}, "18.B.1": {"Procedure": "Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed the .vsdx file copied from a network shared drive on Conficker. The activity seen during the lateral movement step tainted the telemetry because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-18.B.1-1.png": "Exported telemetry of threat story (taints event) showing .vsdx file copy from network shared drive on Conficker", "": ""}}}}, "T1041": {"TechniqueName": "Exfiltration Over Command and Control Channel", "TacticGroup": "Exfiltration", "PrimaryEnabling": "Primary", "Steps": {"9.B.1": {"Procedure": "Cobalt Strike: Download capability exfiltrated data through existing C2 channel", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1078": {"TechniqueName": "Valid Accounts", "TacticGroup": "Defense Evasion, Persistence, Privilege Escalation, Initial Access", "PrimaryEnabling": "Primary", "Steps": {"10.B.1": {"Procedure": "RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse", "DetectionCategories": [{"Telemetry": "Telemetry showed the Jesse account had logged into the system."}], "Screenshots": {"S1-10.B.1-3.png": "Telemetry showing last logged on user identified as Jesse", "": ""}}, "16.B.1": {"Procedure": "Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed a logon attempt using valid credentials of user Kmitnick via net.exe and command-line arguments (tainted by relationship to threat story). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource."}], "Screenshots": {"S1-16.B.1-1.png": "Telemetry showing net.exe logon attempts, the last of which using valid credentials for user Kmitnick (tainted by relationship to threat story)", "S1-16.A.1-2.png": "Telemetry showing net.exe logon attempts and corresponding exit codes", "": ""}}, "16.D.1": {"Procedure": "Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed a logon attempt via net.exe and command-line arguments using valid credentials of user Kmitnick. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-16.D.1-1.png": "Telemetry showing a net.exe logon attempt using valid credentials for user Kmitnick (tainted by relationship to threat story)", "": ""}}}}, "T1086": {"TechniqueName": "PowerShell", "TacticGroup": "Execution", "PrimaryEnabling": "Enabling", "Steps": {"11.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.A.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.D.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.E.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.F.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.F.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.G.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "12.G.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "13.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "13.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "13.B.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "13.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "15.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.H.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.I.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.J.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.K.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "16.L.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "17.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "17.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "17.B.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "17.C.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "18.A.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "18.B.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "19.D.1": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}, "19.D.2": {"Procedure": "", "DetectionCategories": [{"": ""}], "Screenshots": {"": ""}}}}, "T1032": {"TechniqueName": "Standard Cryptographic Protocol", "TacticGroup": "Command and Control", "PrimaryEnabling": "Primary", "Steps": {"11.B.1": {"Procedure": "Empire: Encrypted C2 channel established using HTTPS", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure.[SO20]"}], "Screenshots": {"S1-11.B.1-1.png": "Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over TCP port 443 (does not count as a detection)", "": ""}}}}, "T1201": {"TechniqueName": "Password Policy Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"12.E.1.3": {"Procedure": "Empire: WinEnum module included enumeration of password policy information", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1115": {"TechniqueName": "Clipboard Data", "TacticGroup": "collection", "PrimaryEnabling": "Primary", "Steps": {"12.E.1.5": {"Procedure": "Empire: WinEnum module included enumeration of clipboard contents", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure.[SO95]"}], "Screenshots": {"": ""}}}}, "T1135": {"TechniqueName": "Network Share Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"12.E.1.9.1": {"Procedure": "Empire: WinEnum module included enumeration of available shares", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}, "12.E.1.9.2": {"Procedure": "Empire: WinEnum module included enumeration of mapped network drives", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed powershell.exe executing WMI queries that indicated logical disk information was queried. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-12.E.1-2.png": "Telemetry showing powershell.exe executing WMI queries (tainted Group ID not shown but was the search parameter)", "S1-12.E.1-3.png": "Additional telemetry showing powershell.exe WMI queries for logical disk information", "": ""}}}}, "T1063": {"TechniqueName": "Security Software Discovery", "TacticGroup": "Discovery", "PrimaryEnabling": "Primary", "Steps": {"12.E.1.10.1": {"Procedure": "Empire: WinEnum module included enumeration of AV solutions", "DetectionCategories": [{"Enrichment,Tainted": "The capability enriched powershell.exe activity with the action \\\"attempted to find other installed security software.\\\" The enrichment was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}, {"Telemetry,Tainted": "Telemetry showed powershell.exe executing WMI queries that indicated antivirus product information was queried. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-12.E.1-2.png": "Enrichment of powershell.exe with action \\\"attempted to find other installed security software\\\" (tainted Group ID not shown but was the search parameter)", "S1-12.E.1-3.png": "Telemetry showing powershell.exe WMI queries for antivirus product information (tainted by relationship to threat story)", "": ""}}, "12.E.1.10.2": {"Procedure": "Empire: WinEnum module included enumeration of firewall rules", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1081": {"TechniqueName": "Credentials in Files", "TacticGroup": "Credential Access", "PrimaryEnabling": "Primary", "Steps": {"15.B.1": {"Procedure": "Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)", "DetectionCategories": [{"None": "No detection capability demonstrated for this procedure."}], "Screenshots": {"": ""}}}}, "T1110": {"TechniqueName": "Brute Force", "TacticGroup": "Credential Access", "PrimaryEnabling": "Primary", "Steps": {"16.A.1": {"Procedure": "Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users\u00a0Kmitnick, Bob, and Frieda", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource."}], "Screenshots": {"S1-16.A.1-1.png": "Telemetry showing net.exe logon attempts (tainted by relationship to threat story)", "S1-16.A.1-2.png": "Telemetry showing net.exe logon attempts and corresponding exit codes", "": ""}}, "16.B.1": {"Procedure": "Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying, eventually resulting in a successful logon. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource."}], "Screenshots": {"S1-16.B.1-1.png": "Telemetry showing net.exe logon attempts (tainted by relationship to threat story)", "S1-16.A.1-2.png": "Telemetry showing net.exe logon attempts and corresponding exit codes", "": ""}}}}, "T1077": {"TechniqueName": "Windows Admin Shares", "TacticGroup": "Lateral Movement", "PrimaryEnabling": "Primary", "Steps": {"16.A.1": {"Procedure": "Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource."}], "Screenshots": {"S1-16.A.1-1.png": "Telemetry showing net.exe logon attempts targeting ADMIN$ (tainted by relationship to threat story)", "S1-16.A.1-2.png": "Telemetry showing net.exe logon attempts targeting ADMIN$ and corresponding exit codes", "": ""}}, "16.B.1": {"Procedure": "Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)\u00a0", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed a logon attempt via net.exe and command-line arguments targeting ADMIN$ via net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource."}], "Screenshots": {"S1-16.B.1-1.png": "Telemetry showing a net.exe logon attempt targeting ADMIN$ (tainted by relationship to threat story)", "S1-16.A.1-2.png": "Telemetry showing net.exe logon attempts and corresponding exit codes", "": ""}}, "16.D.1": {"Procedure": "Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed a logon attempt via net.exe and command-line arguments targeting C$ via net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-16.D.1-1.png": "Telemetry showing a net.exe logon attempt targeting C$ (tainted by relationship to threat story)", "": ""}}}}, "T1126": {"TechniqueName": "Network Share Connection Removal", "TacticGroup": "Defense Evasion", "PrimaryEnabling": "Primary", "Steps": {"16.C.1": {"Procedure": "Empire: 'net use /delete' via PowerShell", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed execution of net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-16.C.1-1.png": "Telemetry showing net.exe and command-line arguments (tainted by relationship to threat story)", "": ""}}}}, "T1036": {"TechniqueName": "Masquerading", "TacticGroup": "Defense Evasion", "PrimaryEnabling": "Primary", "Steps": {"16.I.1": {"Procedure": "Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed executions of sc.exe to create the AdobeUpdater service on Creeper with a binPath pointing to cmd.exe to execute update.vbs as well as a setting the service description. An analyst can use this information to determine AdobeUpdater is masquerading. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-16.I.1-1.png": "Telemetry showing execution of sc.exe to create the AdobeUpdater service and set the description (partially shown one line above; both tainted by prior threat story)", "": ""}}, "19.A.1": {"Procedure": "Empire: File dropped to disk is a renamed copy of the WinRAR binary", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed file creation event for recycler.exe on CodeRed along with MD5, SHA1, and SHA256 hashes. Hashes could be used to look up information on the binary. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-19.A.1-1.png": "Telemetry showing file write of recycler.exe with file hashes", "S1-19.A.1-2.png": "Telemetry exported from threat story showing recycler.exe file write tainted by prior activity because it was under the same Group ID", "": ""}}, "19.B.1": {"Procedure": "Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary", "DetectionCategories": [{"Enrichment,Tainted": "Telemetry showed execution of recycler.exe with command-line arguments, including the -hp flag, indicating use of encryption and compression with a WinRAR utility. The Process Name field in the row for recycler.exe enriched the event with \\\"Command line RAR\\\". The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-19.B.1-1.png": "Enrichment showing the execution of recycler.exe with process name identified as \\\"Command line RAR\\\"", "S1-19.A.1-2.png": "Telemetry exported from threat story showing execution of recycler.exe was tainted by prior activity because it was under the same Group ID", "": ""}}}}, "T1050": {"TechniqueName": "New Service", "TacticGroup": "Persistence, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"16.I.1": {"Procedure": "Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed execution of sc.exe to create the AdobeUpdater service on Creeper with a binPath pointing to cmd.exe to execute update.vbs. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-16.I.1-1.png": "Telemetry showing execution of sc.exe to create the AdobeUpdater service (tainted by prior threat story)", "": ""}}}}, "T1035": {"TechniqueName": "Service Execution", "TacticGroup": "Execution", "PrimaryEnabling": "Primary", "Steps": {"16.L.1": {"Procedure": "Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed execution of sc.exe to start the AdobeUpdater service on Creeper. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID)."}, {"General Behavior": "A General Behavior alert was generated for the lateral movement activity. A new story grouping was generated for the event on Creeper to associate subsequent activity."}], "Screenshots": {"S1-16.L.1-1.png": "Telemetry showing execution of sc.exe to start the AdobeUpdater service on Creeper (tainted by relationship to threat story)", "S1-16.G.1-1.png": "Lateral movement alert generated by the remote service start on Creeper", "": ""}}}}, "T1222": {"TechniqueName": "File Permissions Modification", "TacticGroup": "Defense Evasion", "PrimaryEnabling": "Primary", "Steps": {"17.B.1": {"Procedure": "Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe", "DetectionCategories": [{"Enrichment,Tainted": "Telemetry showed takeown.exe execution with command-line arguments containing magnify.exe. The event was enriched to show that ownership of a file was taken over. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-17.A.1-1.png": "Enrichment showing takeown.exe execution (tainted by prior lateral movement alert by Group ID)", "": ""}}, "17.B.2": {"Procedure": "Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed icacls.exe execution with command-line arguments containing magnify.exe. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-17.A.1-3.png": "Telemetry showing icacls.exe execution (tainted by prior lateral movement alert by Group ID)", "": ""}}}}, "T1015": {"TechniqueName": "Accessibility Features", "TacticGroup": "Persistence, Privilege Escalation", "PrimaryEnabling": "Primary", "Steps": {"17.C.1": {"Procedure": "Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed file write of magnify.exe in the system directory from a file copy event for cmd.exe with matching hash values. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-17.C.1-1.png": "Telemetry showing file copy and write events of cmd.exe to overwrite magnify.exe with matching hash values (tainted by prior lateral movement threat story; Group ID not shown in this view)", "": ""}}, "20.A.1": {"Procedure": "magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)", "DetectionCategories": [{"Telemetry": "Telemetry showed execution of magnify.exe which was identified as a Windows Command Processor within the interface. Activity associated with a new story (Group ID)."}], "Screenshots": {"S1-20.B.1-1.png\n": "Telemetry showing magnify.exe execution (identified as Windows Command Processor)", "": ""}}}}, "T1074": {"TechniqueName": "Data Staged", "TacticGroup": "collection", "PrimaryEnabling": "Primary", "Steps": {"18.B.1": {"Procedure": "Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\\$Recycle.Bin) on CodeRed (10.0.1.5)", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed file write of the .vsdx to the Recycle Bin. The activity seen during the lateral movement step tainted the telemetry because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-18.B.1-1.png": "Exported telemetry of threat story (taints event) showing .vsdx file copy and write", "": ""}}}}, "T1002": {"TechniqueName": "Data Compressed", "TacticGroup": "Exfiltration", "PrimaryEnabling": "Primary", "Steps": {"19.B.1": {"Procedure": "Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed execution of recycler.exe with command-line arguments, including the -hp flag, indicating use of encryption and compression with a WinRAR utility. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-19.B.1-1.png": "Telemetry showing the execution of recycler.exe", "S1-19.A.1-2.png": "Telemetry exported from threat story showing execution of recycler.exe was tainted by prior activity because it was under the same Group ID", "": ""}}}}, "T1022": {"TechniqueName": "Data Encrypted", "TacticGroup": "Exfiltration", "PrimaryEnabling": "Primary", "Steps": {"19.B.1": {"Procedure": "Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed execution of recycler.exe with command-line arguments, including the -hp flag, indicating use of encryption and compression with a WinRAR utility. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-19.B.1-1.png": "Telemetry showing the execution of recycler.exe", "S1-19.A.1-2.png": "Telemetry exported from threat story showing execution of recycler.exe was tainted by prior activity because it was under the same Group ID", "": ""}}}}, "T1048": {"TechniqueName": "Exfiltration Over Alternative Protocol", "TacticGroup": "Exfiltration", "PrimaryEnabling": "Primary", "Steps": {"19.C.1": {"Procedure": "Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed ftp.exe running with ftp.txt as an argument. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-19.C.1-1.png": "Telemetry showing the execution of ftp.exe with ftp.txt associated to prior lateral movement threat story by Group ID", "": ""}}}}, "T1107": {"TechniqueName": "File Deletion", "TacticGroup": "Defense Evasion", "PrimaryEnabling": "Primary", "Steps": {"19.D.1": {"Procedure": "Empire: 'del C:\\\"$\"Recycle.bin\\old.rar'", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed the file deletion of old.rar. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-19.D.1-1.png": "Telemetry exported from threat story showing the deletion of old.rar was tainted by prior activity because it was under the same Group ID", "": ""}}, "19.D.2": {"Procedure": "Empire: 'del recycler.exe'", "DetectionCategories": [{"Telemetry,Tainted": "Telemetry showed the file deletion of recycler.exe. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID)."}], "Screenshots": {"S1-19.D.1-1.png": "Telemetry exported from threat story showing the deletion of recycler.exe was tainted by prior activity because it was under the same Group ID", "": ""}}}}} -------------------------------------------------------------------------------- /detection_types.txt: -------------------------------------------------------------------------------- 1 | 2 | Specific Behavior 3 | Specific Behavior, Tainted 4 | Specific Behavior,Tainted 5 | General Behavior 6 | General Behavior, Tainted 7 | Specific Behavior, Delayed 8 | Specific Behavior,Delayed 9 | General Behavior, Delayed 10 | General Behavior,Delayed 11 | General Behavior,Delayed,Tainted 12 | Enrichment 13 | Enrichment, Tainted 14 | Enrichment,Tainted 15 | Enrichment, Delayed 16 | Enrichment, Delayed, Tainted 17 | Enrichment,Delayed, Tainted 18 | Enrichment,Delayed,Tainted 19 | Enrichment, Tainted, Delayed 20 | Enrichment,Tainted, Delayed 21 | Telemetry 22 | Telemetry, Tainted 23 | Telemetry,Tainted 24 | Specific Behavior,Configuration Change 25 | General Behavior, Configuration Change, Delayed, Tainted 26 | General Behavior,Configuration Change 27 | General Behavior,Configuration Change, Delayed, Tainted 28 | Enrichment, Configuration Change 29 | Enrichment,Configuration Change 30 | Enrichment, Tainted,Configuration Change 31 | Enrichment,Tainted,Configuration Change 32 | Indicator of Compromise,Configuration Change 33 | Telemetry,Configuration Change 34 | None -------------------------------------------------------------------------------- /kill_chain_analysis.py: -------------------------------------------------------------------------------- 1 | import json 2 | import glob 3 | import os 4 | 5 | # I didn't clean the data because I didn't want to modify anything, 6 | # irregularities in data source lead to some duplication here. 7 | scoring = { 'Specific Behavior':5, \ 8 | 'Specific Behavior, Tainted':5, \ 9 | 'Specific Behavior,Tainted':5, \ 10 | 'General Behavior':5, \ 11 | 'General Behavior, Tainted':5, \ 12 | 'Specific Behavior, Delayed':3, \ 13 | 'Specific Behavior,Delayed':3, \ 14 | 'General Behavior, Delayed':3, \ 15 | 'General Behavior,Delayed':3, \ 16 | 'General Behavior,Delayed,Tainted':3, \ 17 | 'Enrichment':3, \ 18 | 'Enrichment, Tainted':3, \ 19 | 'Enrichment,Tainted':3, \ 20 | 'Enrichment, Delayed':1, \ 21 | 'Enrichment, Delayed, Tainted':1, \ 22 | 'Enrichment,Delayed, Tainted':1, \ 23 | 'Enrichment,Delayed,Tainted':1, \ 24 | 'Enrichment, Tainted, Delayed':1, \ 25 | 'Enrichment,Tainted, Delayed':1, \ 26 | 'Telemetry':1, \ 27 | 'Telemetry, Tainted':1, \ 28 | 'Telemetry,Tainted':1, \ 29 | 'Telemetry, Delayed':1, \ 30 | 'Specific Behavior,Configuration Change':0, \ 31 | 'General Behavior,Configuration Change':0, \ 32 | 'General Behavior, Configuration Change, Delayed, Tainted':0, \ 33 | 'General Behavior,Configuration Change, Delayed, Tainted':0, \ 34 | 'Enrichment, Configuration Change':0, \ 35 | 'Enrichment,Configuration Change':0, \ 36 | 'Enrichment, Tainted,Configuration Change':0, \ 37 | 'Enrichment, Tainted, Configuration Change':0, \ 38 | 'Enrichment,Tainted,Configuration Change':0, \ 39 | 'Indicator of Compromise,Configuration Change':0, \ 40 | 'Telemetry,Configuration Change':0, \ 41 | 'General Behavior, Configuration Change':0, \ 42 | 'Telemetry, Configuration Change':0, \ 43 | 'Indicator of Compromise':0, \ 44 | 'Indicator of Compromise, Delayed':0, \ 45 | 'None':0 } 46 | 47 | scenario = ['Initial Compromise', \ 48 | 'Initial Discovery', \ 49 | 'Privilege Escalation', \ 50 | 'Discovery for Lateral Movement', \ 51 | 'Credential Access', \ 52 | 'Lateral Movement', \ 53 | 'Persistence', \ 54 | 'Collection', \ 55 | 'Exfiltration', \ 56 | 'Execution of Persistence' ] 57 | 58 | detect_enum = {0:'None', 1:'Telemetry', 3:'Enrichment', 5:'Alert'} 59 | 60 | def generate_score(data): 61 | totalscore = {} 62 | for i in range(20): 63 | totalscore[i] = 0 64 | 65 | for technique_id, technique in data.items(): 66 | if technique_id == 'PublicRelease': 67 | continue 68 | for step_id, step in technique['Steps'].items(): 69 | id = (int(step_id.split('.',1)[0]) - 1) 70 | for detection in step['DetectionCategories']: 71 | for k,v in detection.items(): 72 | if len(k.strip()) and totalscore[id] < scoring[k.strip()]: 73 | totalscore[id] = scoring[k.strip()] 74 | return totalscore 75 | 76 | 77 | path = './data/' 78 | for infile in glob.glob(os.path.join(path, '*json')): 79 | with open(infile) as json_data: 80 | data = json.load(json_data) 81 | score = generate_score(data) 82 | print(f'{infile}') 83 | print(' Cobalt Strike:') 84 | for i in range(10): 85 | print(f' {scenario[i]}: {detect_enum[score[i]]}') 86 | print(' Empire:') 87 | for i in range(10,20): 88 | print(f' {scenario[i%10]}: {detect_enum[score[i]]}') 89 | 90 | 91 | -------------------------------------------------------------------------------- /query_attack.py: -------------------------------------------------------------------------------- 1 | import json 2 | import glob 3 | import os 4 | import argparse 5 | import sys 6 | import re 7 | 8 | class QueryAttackEval: 9 | def __init__(self, args): 10 | self.args = args 11 | 12 | # this line is only to protect the object and should never trigger if running from this script 13 | assert(self.args.technique or self.args.procedure or self.args.search) 14 | 15 | 16 | def get_technique(self, technique_id): 17 | print(f'{self.filename}') 18 | technique = self.data[technique_id] 19 | name = technique['TechniqueName'] 20 | print(f' {technique_id}: {name}') 21 | for step_id, step in technique['Steps'].items(): 22 | if not len(step["Procedure"]): 23 | continue 24 | print(f' {step_id}) {step["Procedure"]}') 25 | for detection in step['DetectionCategories']: 26 | for k,v in detection.items(): 27 | k = k.strip() 28 | if len(k): 29 | print(f' {k}') 30 | return 31 | 32 | def get_procedure(self, procedure_id): 33 | found_proc = False 34 | print(f'{self.filename}') 35 | for technique_id, technique in self.data.items(): 36 | if technique_id == 'PublicRelease': 37 | continue 38 | if procedure_id in technique['Steps']: 39 | step = technique['Steps'][procedure_id] 40 | if not len(step["Procedure"]): 41 | continue 42 | if not found_proc: 43 | print(f' {procedure_id}) {step["Procedure"]}') 44 | found_proc = True 45 | print(f' {technique_id}: {technique["TechniqueName"]}') 46 | for detection in step['DetectionCategories']: 47 | for k,v in detection.items(): 48 | k = k.strip() 49 | if len(k): 50 | print(f' {k}') 51 | return 52 | 53 | def search_eval(self, substring): 54 | techniques = [] 55 | procedures = [] 56 | detections = [] 57 | notes = [] 58 | for technique_id, technique in self.data.items(): 59 | if technique_id == 'PublicRelease': 60 | continue 61 | if self.args.technique and not technique_id == self.args.technique: 62 | continue 63 | if re.search(substring, technique['TechniqueName'], re.IGNORECASE): 64 | techniques.append(f'{technique_id}:\t{technique["TechniqueName"]}') 65 | for step_id, step in technique['Steps'].items(): 66 | if self.args.procedure and not step_id == self.args.procedure: 67 | continue 68 | if re.search(substring, step['Procedure'], re.IGNORECASE): 69 | procedures.append('{:20}{}'.format(f'{step_id}:{technique_id})',step["Procedure"])) 70 | for detection in step['DetectionCategories']: 71 | for k,v in detection.items(): 72 | if re.search(substring, k, re.IGNORECASE): 73 | detections.append('{:20}{}'.format(f'{step_id:}:{technique_id})', k)) 74 | if re.search(substring, v, re.IGNORECASE): 75 | notes.append('{:20}{}\t{}'.format(f'{step_id}:{technique_id})', k, v)) 76 | 77 | if len(techniques) or len(procedures) or len(detections) or len(notes): 78 | print(f'{self.filename}') 79 | if len(techniques): 80 | print('\n Techniques\n ----------') 81 | for technique in techniques: 82 | print(f' {technique}') 83 | if len(procedures): 84 | print('\n Procedures\n ----------') 85 | for procedure in procedures: 86 | print(f' {procedure}') 87 | if len(detections): 88 | print('\n Detections\n ----------') 89 | for detection in detections: 90 | print(f' {detection}') 91 | if len(notes): 92 | print('\n Detection Notes\n ---------------') 93 | for note in notes: 94 | print(f' {note}') 95 | return 96 | 97 | def run(self, infile): 98 | if not re.search(args.vendor, infile, re.IGNORECASE): 99 | return 100 | else: 101 | self.filename = infile 102 | 103 | with open(self.filename) as json_data: 104 | self.data = json.load(json_data) 105 | 106 | if self.args.search: 107 | self.search_eval(self.args.search) 108 | elif self.args.technique: 109 | self.get_technique(self.args.technique.upper()) 110 | elif args.procedure: 111 | self.get_procedure(self.args.procedure.upper()) 112 | 113 | 114 | def parse_args(): 115 | parser = argparse.ArgumentParser( 116 | description='Query utility for the MITRE ATT&CK Evaluations' 117 | ) 118 | parser.add_argument( 119 | '-t', 120 | '--technique', 121 | type=str, 122 | help='Query based on the supplied ATT&CK Technique (example: $ python query_attack.py -t T1043)', 123 | default=False 124 | ) 125 | parser.add_argument( 126 | '-p', 127 | '--procedure', 128 | type=str, 129 | help='Query based on the supplied Step/Procedure (example: $ python query_attack.py -p 1.A.1)', 130 | default=False 131 | ) 132 | parser.add_argument( 133 | '-s', 134 | '--search', 135 | type=str, 136 | help='Query all descriptions for the supplied substring (example: $ python query_attack.py -s ipconfig)', 137 | default=False 138 | ) 139 | parser.add_argument( 140 | 'vendor', 141 | type=str, 142 | nargs='?', 143 | help='Optional argument to allow you to filter down to a particular vendor (example: $ python query_attack.py -s tainted countertack)', 144 | default='.' 145 | ) 146 | 147 | args = parser.parse_args() 148 | if not (args.technique or args.procedure or args.search): 149 | parser.print_help() 150 | return False 151 | 152 | return args 153 | 154 | 155 | if __name__ == '__main__': 156 | args = parse_args() 157 | if args: 158 | attack = QueryAttackEval(args) 159 | 160 | for infile in glob.glob(os.path.join('./data/', '*json')): 161 | attack.run(infile) 162 | 163 | 164 | -------------------------------------------------------------------------------- /simple_score.py: -------------------------------------------------------------------------------- 1 | import json 2 | import glob 3 | import os 4 | 5 | # I didn't clean the data because I didn't want to modify anything, 6 | # irregularities in data source lead to some duplication here. 7 | scoring = { 'Specific Behavior':5, \ 8 | 'Specific Behavior, Tainted':5, \ 9 | 'Specific Behavior,Tainted':5, \ 10 | 'General Behavior':5, \ 11 | 'General Behavior, Tainted':5, \ 12 | 'Specific Behavior, Delayed':3, \ 13 | 'Specific Behavior,Delayed':3, \ 14 | 'General Behavior, Delayed':3, \ 15 | 'General Behavior,Delayed':3, \ 16 | 'General Behavior,Delayed,Tainted':3, \ 17 | 'Enrichment':3, \ 18 | 'Enrichment, Tainted':3, \ 19 | 'Enrichment,Tainted':3, \ 20 | 'Enrichment, Delayed':1, \ 21 | 'Enrichment, Delayed, Tainted':1, \ 22 | 'Enrichment,Delayed, Tainted':1, \ 23 | 'Enrichment,Delayed,Tainted':1, \ 24 | 'Enrichment, Tainted, Delayed':1, \ 25 | 'Enrichment,Tainted, Delayed':1, \ 26 | 'Telemetry':1, \ 27 | 'Telemetry, Tainted':1, \ 28 | 'Telemetry,Tainted':1, \ 29 | 'Telemetry, Delayed':1, \ 30 | 'Specific Behavior,Configuration Change':0, \ 31 | 'General Behavior,Configuration Change':0, \ 32 | 'General Behavior, Configuration Change, Delayed, Tainted':0, \ 33 | 'General Behavior,Configuration Change, Delayed, Tainted':0, \ 34 | 'Enrichment, Configuration Change':0, \ 35 | 'Enrichment,Configuration Change':0, \ 36 | 'Enrichment, Tainted,Configuration Change':0, \ 37 | 'Enrichment, Tainted, Configuration Change':0, \ 38 | 'Enrichment,Tainted,Configuration Change':0, \ 39 | 'Indicator of Compromise,Configuration Change':0, \ 40 | 'Telemetry,Configuration Change':0, \ 41 | 'General Behavior, Configuration Change':0, \ 42 | 'Telemetry, Configuration Change':0, \ 43 | 'Indicator of Compromise':0, \ 44 | 'Indicator of Compromise, Delayed':0, \ 45 | 'None':0 } 46 | 47 | def generate_score(data): 48 | totalscore = 0 49 | for technique_id, technique in data.items(): 50 | if technique_id == 'PublicRelease': 51 | continue 52 | for step in technique['Steps'].values(): 53 | stepscore = 0 54 | for detection in step['DetectionCategories']: 55 | for k,v in detection.items(): 56 | if len(k.strip()) and stepscore < scoring[k.strip()]: 57 | stepscore = scoring[k.strip()] 58 | totalscore += stepscore 59 | return totalscore 60 | 61 | 62 | path = './data/' 63 | for infile in glob.glob(os.path.join(path, '*json')): 64 | with open(infile) as json_data: 65 | data = json.load(json_data) 66 | score = generate_score(data) 67 | print(f'{infile} - {score}') 68 | 69 | 70 | -------------------------------------------------------------------------------- /total_misses.py: -------------------------------------------------------------------------------- 1 | import json 2 | import glob 3 | import os 4 | 5 | 6 | def generate_score(data): 7 | totalmisses = 0 8 | for technique_id, technique in data.items(): 9 | if technique_id == 'PublicRelease': 10 | continue 11 | for step in technique['Steps'].values(): 12 | for detection in step['DetectionCategories']: 13 | for k,v in detection.items(): 14 | if k.strip() == 'None': 15 | # This additional filter is required to recreate the numbers from the Endgame blog. 16 | if v[:56] == 'No detection capability demonstrated for this procedure.': 17 | totalmisses += 1 18 | return totalmisses 19 | 20 | 21 | path = './data/' 22 | for infile in glob.glob(os.path.join(path, '*json')): 23 | with open(infile) as json_data: 24 | data = json.load(json_data) 25 | score = generate_score(data) 26 | print(f'{infile} - {score}') 27 | 28 | --------------------------------------------------------------------------------