Free Telemetry Report

Step

Procedure

Criteria

Technique

Detections

1.A.1

User Pam executed payload rcs.3aka3.doc

The rcs.3aka3.doc process spawning from explorer.exe

User Execution

TypeNotes
TelemetryTelemetry showed explorer.exe executing rcs.3aka3.doc [1] [2]
GeneralA General detection can be created to show new applications executed on the endpoint by leveraging registry modifications to \Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\ [1]

1.A.2

Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)

Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process ​OR the original filename (cod.3aka.scr)

Masquerading

TypeNotes
TelemetryTelemetry shows RTLO character by looking for bi-derectional text control characters on the file name backing up the Image [1] [2]

1.A.3

Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234

Established network channel over port 1234

Uncommonly Used Port

TypeNotes
TelemetryTelemetry showed rcs.3aka3.doc connected to 192.168.0.5 over port 1234 [1] [2]

1.A.4

Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic

Evidence that the network data sent over the C2 channel is encrypted

Standard Cryptographic Protocol

TypeNotes
NoneNo detection capability demonstrated for this procedure, though data showed rcs.3aka3.doc loading cryptographic libraries. [1]

1.B.1

Spawned interactive cmd.exe

cmd.exe spawning from the rcs.3aka3.doc​ process

Command-Line Interface

TypeNotes
Telemetry(Correlated)Telemetry showed cmd.exe spawning from rcs.3aka3.doc​. This event was correlated to a Technique detection for masquerading. [1] [2]

1.B.2

Spawned interactive powershell.exe

powershell.exe spawning from cmd.exe

PowerShell

TypeNotes
Telemetry(Correlated)Telemetry showed cmd.exe executing powershell.exe. The telemetry was correlated to a parent alert for malicious file execution. [1] [2]

2.A.1

Searched filesystem for document and media files using PowerShell

powershell.exe executing (Get-)ChildItem

File and Directory Discovery

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing ChildItem. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2]

2.A.2

Scripted search of filesystem for document and media files using PowerShell

powershell.exe executing (Get-)ChildItem

Automated Collection

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing ChildItem. The event was correlated to a parent General detection for malicious file execution. [1] [2]

2.A.3

Recursively collected files found in C:\Users\Pam\ using PowerShell

powershell.exe reading files in C:\Users\Pam\

Data from Local System

TypeNotes
NoneNo detection capability demonstrated for this procedure.

2.A.4

Compressed and stored files into ZIP (Draft.zip) using PowerShell

powershell.exe executing Compress-Archive

Data Compressed

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe compressing via Compress-Archive. The event was correlated to a parent General detection for malicious file execution. [1] [2]

2.A.5

Staged files for exfiltration into ZIP (Draft.zip) using PowerShell

powershell.exe creating the file draft.zip

Data Staged

TypeNotes
Telemetry(Correlated)Telemetry showed file creation of Draft.zip. This was correlated to prior a detection of the parent PowerShell process. [1]

2.B.1

Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)

The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel

Exfiltration Over Command and Control Channel

TypeNotes
NoneNo detection capability demonstrated for this procedure.

3.A.1

Dropped stage 2 payload (monkey.png) to disk

The rcs.3aka3.doc process creating the file monkey.png

Remote File Copy

TypeNotes
Telemetry(Correlated)Telemetry showed rcs.3aka3.doc creating monkey.png. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious [1]

3.A.2

Embedded PowerShell payload in monkey.png using steganography

Evidence that a PowerShell payload was within monkey.png

Obfuscated Files or Information

TypeNotes
TelemetryTelemetry showed PowerShell extracting and executing the code embedded within monkey.png. [1] [2]

3.B.1

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Addition of the DelegateExecute ​subkey in ​HKCU\Software\Classes\Folder\shell\open\​​command​​

Component Object Model Hijacking

TypeNotes
TelemetryTelemetry showed the addition of the DelegateExecute Registry Value. [1]

3.B.2

Executed elevated PowerShell payload

High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)

Bypass User Account Control

TypeNotes
TechniqueA Technique detection can be created for sdclt spawning child processes which would catch sdclt.exe spawning control.exe. This could be an indicator of sdclt being used for Bypass UAC techniques. [1] [2]
TelemetryTelemetry showed sdclt.exe being spawned as a high integrity process and control.exe creating a high integrity powershell.exe. [1] [2] [3] [4]

3.B.3

Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443

Established network channel over port 443

Commonly Used Port

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe connecting to 192.168.0.5 on port 443. The event was correlated to a parent technique detection for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

3.B.4

Used HTTPS to transport C2 (192.168.0.5) traffic

Evidence that the network data sent over the C2 channel is HTTPS

Standard Application Layer Protocol

TypeNotes
NoneNo detection capability demonstrated for this procedure.

3.B.5

Used HTTPS to encrypt C2 (192.168.0.5) traffic

Evidence that the network data sent over the C2 channel is encrypted

Standard Cryptographic Protocol

TypeNotes
NoneNo detection capability demonstrated for this procedure.

3.C.1

Modified the Registry to remove artifacts of COM hijacking

Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey

Modify Registry

TypeNotes
Telemetry(Correlated)Telemetry showed the deletion of the command subkey. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious [1]

4.A.1

Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)

powershell.exe creating the file SysinternalsSuite.zip

Remote File Copy

TypeNotes
Telemetry(Correlated)Telemetry showed the file write of the ZIP by PowerShell. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]

4.A.2

Spawned interactive powershell.exe

powershell.exe spawning from powershell.exe

PowerShell

TypeNotes
Telemetry(Correlated)Telemetry showed a new powershell.exe spawning from powershell.exe. The detection was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

4.A.3

Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell

powershell.exe executing Expand-Archive

Deobfuscate/Decode Files or Information

TypeNotes
Telemetry(Correlated)Telemetry showed PowerShell decompressing the ZIP via Expand-Archive and corresponding file writes. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2] [3] [4]

4.B.1

Enumerated current running processes using PowerShell

powershell.exe executing Get-Process

Process Discovery

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing Get-Process. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

4.B.2

Deleted rcs.3aka3.doc on disk using SDelete

sdelete64.exe deleting the file rcs.3aka3.doc

File Deletion

TypeNotes
Telemetry(Correlated)Telemetry showed sdelete.exe running with command-line arguments to delete the file. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2] [3]

4.B.3

Deleted Draft.zip on disk using SDelete

sdelete64.exe deleting the file draft.zip

File Deletion

TypeNotes
Telemetry(Correlated)Telemetry showed sdelete.exe running with command-line arguments to delete the file. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2] [3]

4.B.4

Deleted SysinternalsSuite.zip on disk using SDelete

sdelete64.exe deleting the file SysinternalsSuite.zip

File Deletion

TypeNotes
Telemetry(Correlated)Telemetry showed sdelete.exe running with command-line arguments to delete the file. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2] [3]

4.C.1

Enumerated user’s temporary directory path using PowerShell

powershell.exe executing $env:TEMP

File and Directory Discovery

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing $env:TEMP. The detection was correlated to a parent grouping of malicious activity. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

4.C.2

Enumerated the current username using PowerShell

powershell.exe executing $env:USERNAME

System Owner/User Discovery

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing $env:USERNAME. The detection was correlated to a parent grouping of malicious activity. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

4.C.3

Enumerated the computer hostname using PowerShell

powershell.exe executing $env:COMPUTERNAME

System Information Discovery

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing $env:COMPUTERNAME. The detection was correlated to a parent grouping of malicious activity. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

4.C.4

Enumerated the current domain name using PowerShell

powershell.exe executing $env:USERDOMAIN

System Network Configuration Discovery

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing $env:USERDOMAIN. The detection was correlated to a parent grouping of malicious activity. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

4.C.5

Enumerated the current process ID using PowerShell

powershell.exe executing $PID

Process Discovery

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing $PID. The detection was correlated to a parent grouping of malicious activity. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

4.C.6

Enumerated the OS version using PowerShell

powershell.exe executing​ Gwmi Win32_OperatingSystem

System Information Discovery

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing Gwmi Win32_OperatingSystem. The detection was correlated to a parent grouping of malicious activity. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

4.C.7

Enumerated anti-virus software using PowerShell

powershell.exe executing​ Get-WmiObject …​ -Class AntiVirusProduct

Security Software Discovery

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing Get-WmiObject …​ -Class AntiVirusProduct. The detection was correlated to a parent grouping of malicious activity. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

4.C.8

Enumerated firewall software using PowerShell

powershell.exe executing Get-WmiObject …​​ -Class FireWallProduct

Security Software Discovery

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing Get-WmiObject …​​ -Class FireWallProduct. The detection was correlated to a parent grouping of malicious activity. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

4.C.9

Enumerated user’s domain group membership via the NetUserGetGroups API

powershell.exe executing the NetUserGetGroups API

Permission Groups Discovery

TypeNotes
technique(alert)A technique alert can be generated by looking for domain users (non *$) requesting handles to SAM_DOMAIN objects from the DC. This can be correlated with network logon sessions created by the user performing the action remotely. [1]
Telemetry(Correlated)Telemetry showed powershell.exe executing:​ Invoke-NetUserGetGroups. The detection was correlated to a parent grouping of malicious activity. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

4.C.10

Executed API call by reflectively loading Netapi32.dll

The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll

Execution through API

TypeNotes
Telemetry(Correlated)Telemetry showed Netapi32.dll loaded into powershell.exe. The detection was correlated to a parent grouping of malicious activity. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1]

4.C.11

Enumerated user’s local group membership via the NetUserGetLocalGroups API

powershell.exe executing the NetUserGetLocalGroups API

Permission Groups Discovery

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing:​ Invoke-NetUserGetLocalGroups. The detection was correlated to a parent grouping of malicious activity. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

4.C.12

Executed API call by reflectively loading Netapi32.dll

The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll

Execution through API

TypeNotes
Telemetry(Correlated)Telemetry showed Netapi32.dll loaded into powershell.exe. The detection was correlated to a parent grouping of malicious activity. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1]

5.A.1

Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup

powershell.exe creating the Javamtsup service

New Service

TypeNotes
Telemetry(Correlated)Telemetry showed PowerShell created the new service javamtsup. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. There is also telemetry that showed the creation and modification of registry keys for the javamtsup service install. [1] [2] [3]

5.B.1

Created a LNK file (hostui.lnk) in the Startup folder that executes on login

powershell.exe creating the file hostui.lnk in the Startup folder

Registry Run Keys / Startup Folder

TypeNotes
Telemetry(Correlated)Telemetry showed the file write of hostui.lnk in the Startup folder. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1]

6.A.1

Read the Chrome SQL database file to extract encrypted credentials

accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\

Credentials in Files

TypeNotes
NoneNo detection capability demonstrated for this procedure. However, with a SACL on %APPDATALOCAL%\Google\chrome\user data\default, it would generate an event.

6.A.2

Executed the CryptUnprotectedData API call to decrypt Chrome passwords

accesschk.exe executing the CryptUnprotectedData API

Credential Dumping

TypeNotes
NoneNo detection capability demonstrated for this procedure.

6.A.3

Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool

Evidence that accesschk.exe is not the legitimate Sysinternals tool

Masquerading

TypeNotes
Telemetry(Correlated)Telemetry showed hash of accesschk.exe, which can be used to verify it is not the legitimate Sysinternals tool. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1]
General(Correlated)A General alert detection can be generated for accesschk.exe execution after searching for HASH in VirusTotal. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1]

6.B.1

Exported a local certificate to a PFX file using PowerShell

powershell.exe creating a certificate file exported from the system

Private Keys

TypeNotes
Telemetry(Correlated)Telemetry showed file create event for a $RandomFileName.pfx file by powershell.exe. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1]

6.C.1

Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe

powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\

Credential Dumping

TypeNotes
Telemetry(Correlated)Telemetry shows powershell.exe using CreateRemoteThread API call to inject into lsass.exe. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1]

7.A.1

Captured and saved screenshots using PowerShell

powershell.exe executing the CopyFromScreen function from System.Drawing.dll

Screen Capture

TypeNotes
Telemetry(Correlated)powershell.exe loading System.Drawing.ni.dll, indicating possible Screen Capture. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1]
Telemetry(Correlated)Telemetry showed powershell.exe executing CopyFromScreen from System.Drawing.dll. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

7.A.2

Captured clipboard contents using PowerShell

powershell.exe executing Get-Clipboard

Clipboard Data

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing Get-Clipboard. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

7.A.3

Captured user keystrokes using the GetAsyncKeyState API

powershell.exe executing the GetAsyncKeyState API

Input Capture

TypeNotes
NoneNo detection capability demonstrated for this procedure.

7.B.1

Read data in the user’s Downloads directory using PowerShell

powershell.exe reading files in C:\Users\pam\Downloads\

Data from Local System

TypeNotes
NoneNo detection capability demonstrated for this procedure.

7.B.2

Compressed data from the user’s Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell

powershell.exe creating the file OfficeSupplies.7z

Data Compressed

TypeNotes
Telemetry(Correlated)Telemetry showed the file create event for OfficeSupplies.7z. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1]

7.B.3

Encrypted data from the user’s Downloads directory using PowerShell

powershell.exe executing Compress-7Zip with the password argument used for encryption

Data Encrypted

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing Compress-7Zip with arguments for encryption. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

7.B.4

Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell

powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)

Exfiltration Over Alternative Protocol

TypeNotes
Telemetry(Correlated)Telemetry showed PoweShell Copy-Item to a remote adversary WebDav network share (192.168.0.4). The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]
technique(Alert)A technique alert can be created for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This is context around the webclient used for the webdav activity. [1]

8.A.1

Enumerated remote systems using LDAP queries

powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)

Remote System Discovery

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe establishing a connection to NewYork (10.0.0.4) over TCP port 389. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

8.A.2

Established WinRM connection to remote host NASHUA (10.0.1.6)

Network connection to NASHUA (10.0.1.6) over port 5985

Remote System Discovery

TypeNotes
Telemetry(Correlated)Telemetry showed network connection to remote host NASHUA (10.0.1.6) over port TCP 5985. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

8.A.3

Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell

powershell.exe executing Get-Process

Process Discovery

TypeNotes
Telemetry(Correlated)Telemetry showed wsmprovhost.exe executing Get-Process. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]

8.B.1

Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)

The file python.exe created on Scranton (10.0.1.4)

Remote File Copy

TypeNotes
TelemetryTelemetry showed python.exe being created on NASHUA (10.0.1.6). Windows Security event logs tells us it came from SCRANTON (10.0.1.4) and via ADMIN$ share. [1] [2]

8.B.2

python.exe payload was packed with UPX

Evidence that the file python.exe is packed

Software Packing

TypeNotes
NoneNo detection capability demonstrated for this procedure.

8.C.1

Logged on to remote host NASHUA (10.0.1.6) using valid credentials for user Pam

Successful logon as user Pam on NASHUA (10.0.1.6)

Valid Accounts

TypeNotes
TelemetryTelemetry showed a valid logon on NASHUA (10.0.1.6) as user Pam from SCRANTON (10.0.1.4). [1]

8.C.2

Established SMB session to remote host NASHUA’s (10.0.1.6) IPC$ share using PsExec

SMB session to NASHUA (10.0.1.6) over TCP port 445/135 OR evidence of usage of a Windows share

Windows Admin Shares

TypeNotes
TelemetryTelemetry showed PsExec (PSEXESVC) stablishing an SMB session to remote host NASHUAs (10.0.1.6) IPC$ share. [1]

8.C.3

Executed python.exe using PSExec

python.exe spawned by PSEXESVC.exe

Service Execution

TypeNotes
Telemetry(Correlated)Telemetry showed python.exe spawned by PSEXESVC.exe. This can be Correlated with services.exe as a grand-parent. [1] [2]

9.A.1

Dropped rar.exe to disk on remote host NASHUA (10.0.1.6)

python.exe creating the file rar.exe

Remote File Copy

TypeNotes
Telemetry(Correlated)Telemetry showed file created event for python.exe creating rar.exe. This event was correlated to psexesvc.exe executing python.exe [1]

9.A.2

Dropped rar.exe to disk on remote host NASHUA (10.0.1.6)

python.exe creating the file sdelete64.exe

Remote File Copy

TypeNotes
Telemetry(Correlated)Telemetry showed file created event for python.exe creating sdelete64.exe. This event was correlated to psexesvc.exe executing python.exe [1]

9.B.1

Spawned interactive powershell.exe

powershell.exe​ spawning from python.exe

PowerShell

TypeNotes
Telemetry(Correlated)Telemetery showed python.exe executing powershell.exe. This event was correlated to psexesvc.exe executing python.exe [1] [2]

9.B.2

Searched filesystem for document and media files using PowerShell

powershell.exe executing (Get-)ChildItem​

File and Directory Discovery

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing ChildItem. This event was correlated to psexesvc.exe executing python.exe [1] [2]

9.B.3

Scripted search of filesystem for document and media files using PowerShell

powershell.exe executing (Get-)ChildItem

Automated Collection

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing ChildItem. This event was correlated to psexesvc.exe executing python.exe [1] [2]

9.B.4

Recursively collected files found in C:\Users\Pam\ using PowerShell

powershell.exe reading files in C:\Users\Pam\

Data from Local System

TypeNotes
NoneNo detection capability demonstrated for this procedure.

9.B.5

Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell

powershell.exe creating the file working.zip

Data Staged

TypeNotes
Telemetry(Correlated)Telemetry showed a File Created event for powershell.exe creating working.zip. This event was correlated to psexesvc.exe executing python.exe [1]

9.B.6

Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

powershell.exe executing rar.exe with the -a parameter for a password to use for encryption

Data Encrypted

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing rar.exe with command-line arguments to encrypt working.zip. This event was correlated to psexesvc.exe executing python.exe [1] [2]

9.B.7

Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

powershell.exe executing rar.exe

Data Compressed

TypeNotes
Telemetry(Correlated)Telemetry showed powershell.exe executing rar.exe with command-line arguments to compress working.zip. This event was correlated to psexesvc.exe executing python.exe [1] [2]

9.B.8

Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)

python.exe reading the file working.zip while connected to the C2 channel

Exfiltration Over Command and Control Channel

TypeNotes
NoneNo detection capability demonstrated for this procedure.

9.C.1

Deleted rar.exe on disk using SDelete

sdelete64.exe deleting the file rar.exe

File Deletion

TypeNotes
Telemetry(Correlated)Telemetry showed a “File Delete” event for rar.exe. This event was correlated to psexesvc.exe executing python.exe [1]

9.C.2

Deleted working.zip (from Desktop) on disk using SDelete

sdelete64.exe deleting the file \Desktop\working.zip

File Deletion

TypeNotes
Telemetry(Correlated)Telemetry showed a “File Delete” event for Desktop\working.zip. This event was correlated to psexesvc.exe executing python.exe [1]

9.C.3

Deleted working.zip (from AppData directory) on disk using SDelete

sdelete64.exe deleting the file \AppData\Roaming\working.zip

File Deletion

TypeNotes
Telemetry(Correlated)Telemetry showed a “File Delete” event for \AppData\Roaming\working.zip. This event was correlated to psexesvc.exe executing python.exe [1]

9.C.4

Deleted SDelete on disk using cmd.exe del command

cmd.exe deleting the file sdelete64.exe

File Deletion

TypeNotes
Telemetry(Correlated)Telemetry showed a “File Delete” event for sdelete64.exe. This event was correlated to psexesvc.exe executing python.exe [1]

10.A.1

Executed persistent service (javamtsup) on system startup

javamtsup.exe spawning from services.exe

Service Execution

TypeNotes
TelemetryTelemetry showed javamtsup.exe with parent process services.exe [1] [2]

10.B.1

Executed LNK payload (hostui.lnk) in Startup Folder on user login

Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder

Registry Run Keys / Startup Folder

TypeNotes
NoneNo detection capability demonstrated for this procedure.

10.B.2

Executed PowerShell payload via the CreateProcessWithToken API

hostui.exe executing the CreateProcessWithToken API

Execution through API

TypeNotes
NoneNo detection capability demonstrated for this procedure.

10.B.3

Manipulated the token of the PowerShell payload via the CreateProcessWithToken API

hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe

Access Token Manipulation

TypeNotes
NoneNo detection capability demonstrated for this procedure.