PR | 2 |
ИКС | 10 |
Страниц в Google | 406 |
Страниц в Яндексе | 0 |
Dmoz | Нет |
Яндекс Каталог | Нет |
Alexa Traffic Rank | Нет данных |
Alexa Country | Нет данных |
История изменения показателей | Авторизация |
Идет сбор информации... Обновить
REPLY-TO-ALL Information Security Blog
n/a
n/a
UTF-8
658.02 КБ
2 500
254 174 симв.
216 893 симв.
Счетчик | Посетители за 24 часа | Просмотры | Просмотров на посетителя |
---|---|---|---|
Google Analytics | Нет доступа | Нет доступа | n/a |
Данные linkpad ( 10 Мая 2013 ) | |
Количество ссылок на сайт | 0 |
Количество доменов, которые ссылаются на сайт | 0 |
Количество найденных анкоров | 0 |
Исходящие (внешние) ссылки домена | 0 |
Количество доменов, на которые ссылается сайт | 0 |
Количество исходящих анкоров | 0 |
Внешние ссылки главной страницы ( 1236 ) | |
attackevals.mitre.org/evaluations.html | теста MITRE |
attackevals.mitre.org/evaluations/fireeye.1.apt3.1.html | FireEye |
attackevals.mitre.org/evaluations/cybereason.1.apt3.1.html | Cybereason |
fireeye.com/blog/products-and-services/2019/02/mitre-evaluat... | раз |
cybereason.com/blog/mitre-attck-evaluation-results | два |
attackevals.mitre.org/methodology/detection-categorization.h... | виды детектов |
twitter.com/SVSoldatov/status/1075272448046784512 | процедуры |
github.com/votadlos/MITRE/blob/master/t.py | доступен на git |
github.com/votadlos/MITRE/blob/master/out.html | out.html |
attack.mitre.org/techniques/T1012/ | T1012 |
attackevals.mitre.org/cs-12.e.1.6.1-1.png.html | Telemetry showing the Get-Sysinfo function |
attackevals.mitre.org/eg-12-e-05.png.html | Interactive Shell events showing the WinEnum script and Clipboard Contents function (does not count as part of detection due to ... |
attackevals.mitre.org/cb-13.c.1-1.png.html | Telemetry showing process tree with reg.exe and command-line arguments |
attackevals.mitre.org/cb-13.c.1-2.png.html | Enrichment of reg.exe event with correct ATT&CK Technique (Query Registry) |
attackevals.mitre.org/ct-13.c.1-1.png.html | Telemetry showing reg.exe with command-line arguments (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cs-13.c.1-4.png.html | Telemetry from process tree showing reg.exe with command-line arguments (tainted by previous powershell.exe detection by red lin... |
attackevals.mitre.org/cs-13.c.1-2.png.html | OverWatch General Behavior alert indicating reg query was suspicious (tainted by previous powershell.exe detection by orange lin... |
attackevals.mitre.org/cs-13.c.1-3.png.html | OverWatch General Behavior alert indicating reg query was suspicious |
attackevals.mitre.org/cs-e-8.png.html | Email excerpt from the OverWatch team indicating net localgroup was part of additional malicious discovery activity (General Beh... |
attackevals.mitre.org/cr-13.c.1-10.png.html | Telemetry showing reg.exe with command-line arguments (tainted by a parent PowerShell alert) |
attackevals.mitre.org/eg-13-3.png.html | Enriched event tree showing enrichment of netstat.exe with correct ATT&CK Technique (T1049 - System Network Connections Discover... |
attackevals.mitre.org/fe-12.a.1-2.png.html | Excerpt from the Managed Defense Report indicating a PowerShell command was run from Empire (Specific Behavior) |
attackevals.mitre.org/fe-13.c.1-1.png.html | Enrichment of reg.exe with Reg Execution alert (tagged with ATT&CK Technique T1018 - Query Registry, and Tactic, Discovery) |
attackevals.mitre.org/ms-13.c.1-1.png.html | Telemetry showing execution of reg.exe and command-line arguments |
attackevals.mitre.org/ms-13.c.1-2.png.html | Process tree view of suspicious sequence of exploration activities alert showing tainted relationship to reg.exe |
attackevals.mitre.org/rsa-13-1.png.html | Telemetry showing execution of net.exe and command-line arguments |
attackevals.mitre.org/s1-13.a.1-1.png.html | Telemetry showing execution of netstat.exe and command-line arguments (tainted Group ID not shown but was the search parameter) |
attackevals.mitre.org/cb-2.h.1-1.png.html | Telemetry from process tree showing reg.exe with command-line arguments |
attackevals.mitre.org/cb-2.h.1-2.png.html | Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry) |
attackevals.mitre.org/ct-2.h.1-1.png.html | Telemetry showing reg.exe with command-line arguments (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cs-2.a.1-1.png.html | Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net localgroup not s... |
attackevals.mitre.org/cs-2.g.1-1.png.html | Telemetry showing net with command-line arguments |
attackevals.mitre.org/cs-e-3.png.html | Email excerpt from the OverWatch team indicating net localgroup was a reconnaissance command (General Behavior) |
attackevals.mitre.org/cr-2.h.1-11.png.html | Telemetry showing cmd.exe executing reg with command-line arguments |
attackevals.mitre.org/cr-2.h.1-10.png.html | Telemetry within a process tree showing reg.exe executing with command-line arguments (tainted by a parent Injected Shellcode al... |
attackevals.mitre.org/eg-02-18.png.html | General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time peri... |
attackevals.mitre.org/eg-02-19.png.html | Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection) |
attackevals.mitre.org/eg-02-15.png.html | Telemetry showing reg.exe with command-line arguments (tainted by parent Malicious File Detection) |
attackevals.mitre.org/fe-2.b.1-2.png.html | Excerpt from the Managed Defense Report indicating the attacker enumerated members of the local administrators group (Specific B... |
attackevals.mitre.org/fe-2.h.1-1.png.html | Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discov... |
attackevals.mitre.org/fe-2.h.1-2.png.html | Excerpt from the Managed Defense Report with additional details about reg |
attackevals.mitre.org/ms-2.h.1-2.png.html | Process tree view of General Behavior alert on suspicious sequence of discovery techniques (showing tainted reg.exe query comman... |
attackevals.mitre.org/ms-2.h.1-1.png.html | Telemetry showing execution sequence for reg.exe with command-line arguments |
attackevals.mitre.org/rsa-02-4.png.html | Telemetry showing net.exe with command-line arguments |
attackevals.mitre.org/s1-2.h.1-1.png.html | Telemetry showing reg.exe with command-line arguments (tainted by relationship to threat story) |
attackevals.mitre.org/cb-17.a.1-2.png.html | Specific Behavior alert on powershell.exe when it replaced magnify.exe (mapped to correct ATT&CK Technique, T1015 - Accessibilit... |
attackevals.mitre.org/cb-17.a.1-1.png.html | Telemetry from process tree showing reg.exe with command-line arguments |
attackevals.mitre.org/ct-17.a.1-1.png.html | Telemetry showing powershell.exe executing reg.exe (tainted by the parent \"New Windows service created\" alert) |
attackevals.mitre.org/cs-17.a.1-1.png.html | Telemetry from process tree view showing reg.exe executing with command-line arguments (tainted by previous powershell.exe detec... |
attackevals.mitre.org/cr-17.a.1-10.png.html | Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert) |
attackevals.mitre.org/eg-17-2.png.html | Enriched event tree showing enrichment of magnify.exe overwrite with correct ATT&CK Technique (T1015 - Accessibility Features) a... |
attackevals.mitre.org/eg-17-1.png.html | Specific Behavior alert on overwrite of magnify.exe named \"Persistence-Accessibility Features\" tagged with correct ATT&CK Tech... |
attackevals.mitre.org/fe-17.a.1-1.png.html | Telemetry showing reg.exe executing with command-line arguments (tainted by parent Reg Execution alert) |
attackevals.mitre.org/ms-17.a.1-2.png.html | Process tree view of suspicious PowerShell command-line alert showing tainted relationship to reg.exe query |
attackevals.mitre.org/ms-17.a.1-1.png.html | Telemetry showing reg.exe query for terminal server setting |
attackevals.mitre.org/rsa-17-1.png.html | Telemetry showing file write to magnify.exe in the system directory |
attackevals.mitre.org/s1-17.a.1-4.png.html | Threat story graph showing telemetry of reg.exe with query for terminal server setting (tainted by prior lateral movement alert ... |
attackevals.mitre.org/cb-6.a.1-1.png.html | Telemetry from process tree showing reg.exe with command-line arguments |
attackevals.mitre.org/cb-6.a.1-2.png.html | Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry) |
attackevals.mitre.org/ct-6.a.1-2.png.html | Telemetry showing PIPEs created (tainted by the parent \"Powershell process created\" alert) |
attackevals.mitre.org/ct-6.a.1-1.png.html | Telemetry showing reg.exe with command-line arguments (tainted by the parent \"Powershell process created\" alert) |
attackevals.mitre.org/cs-6.a.1-1.png.html | Telemetry showing reg with command-line arguments |
attackevals.mitre.org/cs-6.a.1-2.png.html | OverWatch General Behavior alert identifying reg query as suspicious as well as reg.exe process (tainted by previous detection b... |
attackevals.mitre.org/cr-6.a.1-10.png.html | Telemetry showing reg.exe executing with command-line arguments (tainted by a parent Injected Shellcode alert) |
attackevals.mitre.org/eg-06-1.png.html | Telemetry showing reg with command-line arguments |
attackevals.mitre.org/eg-06-4.png.html | Event tree view of telemetry showing port 3389 connection to 10.0.0.5 (Conficker) (tainted by parent Process Injection alert) |
attackevals.mitre.org/fe-6.a.1-1.png.html | Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discov... |
attackevals.mitre.org/fe-6.a.1-2.png.html | File Write To Named Pipe alert for write to remote named pipe from reg.exe |
attackevals.mitre.org/fe-6.a.1-3.png.html | Additional details on named pipe alert |
attackevals.mitre.org/fe-6.a.1-4.png.html | Excerpt from the Managed Defense Report with additional details about reg query |
attackevals.mitre.org/fe-2.a.1-3.png.html | Excerpt from the Managed Defense Report indicating netstat was used to enumerate active and listening network ports (Specific Be... |
attackevals.mitre.org/ms-6.a.1-2.png.html | Process tree view of suspicious process injection alert on lsass.exe showing tainted relationship to reg.exe (inner failure mess... |
attackevals.mitre.org/ms-6.a.1-1.png.html | Telemetry showing execution sequence for reg.exe with command-line arguments |
attackevals.mitre.org/rsa-06-1.png.html | Telemetry showing reg.exe with command-line arguments |
attackevals.mitre.org/s1-6.a.1-1.png.html | Telemetry showing cmd.exe executing reg with command-line arguments (tainted by relationship to rundll32 parent process linked b... |
attack.mitre.org/techniques/T1059/ | T1059 |
attackevals.mitre.org/cb-16.f.1-1.png.html | Telemetry showing process tree with cmd.exe and initial powershell.exe running as user Bob |
attackevals.mitre.org/cb-16.f.1-3.png.html | Enrichment of cmd.exe event with correct ATT&CK Technique (T1059 - Command-Line Interface) |
attackevals.mitre.org/cb-16.f.1-2.png.html | Telemetry showing process tree with cmd.exe and final powershell.exe running as user Kmitnick |
attackevals.mitre.org/ct-16.f.1-3.png.html | Telemetry showing wscript.exe execute autoupate.vbs and resulting powershell.exe (tainted by the parent \"Powershell executed re... |
attackevals.mitre.org/ct-16.f.1-2.png.html | Telemetry showing cmd.exe executing autoupdate.vbs as user Kmitnick (tainted by the parent \"Powershell executed remote commands... |
attackevals.mitre.org/ct-16.f.1-1.png.html | Telemetry showing svchost.exe creating cmd.exe and executing autoupdate.vbs as user Kmitnick |
attackevals.mitre.org/cs-16.f.1-2.png.html | Telemetry showing wscript.exe launching autoupdate.vbs as user Kmitnick (tainted by previous detection by red line indicating hi... |
attackevals.mitre.org/cs-16.f.1-1.png.html | Telemetry showing cmd.exe launching autoupdate.vbs as user Kmitnick (tainted by previous detection by red line indicating high s... |
attackevals.mitre.org/cr-16.f.1-13.png.html | Parent alert on Malicious PowerShell Command (Invoke-RunAs) |
attackevals.mitre.org/cr-16.f.1-11.png.html | Telemetry showing cmd.exe executing autoupdate.vbs though wscript.exe (tainted by a parent PowerShell alert) |
attackevals.mitre.org/eg-16-11.png.html | Telemetry showing cmd.exe executed as user Kmitnick (tainted by parent PowerShell alert) |
attackevals.mitre.org/eg-16-10.png.html | Enriched event tree showing enrichment of autoupdate.vbs execution with related ATT&CK Technique (T1064 - Scripting) and Tactic ... |
attackevals.mitre.org/eg-16-9.png.html | Enrichment showing cmd launching PowerShell via wscript.exe running autoupdate.vbs (tainted by parent PowerShell alert) |
attackevals.mitre.org/fe-16.f.1-1.png.html | Enrichment of cmd.exe spawning wscript.exe with Wscript Execution alert (tagged with correct ATT&CK Technique, T1059 - Command-L... |
attackevals.mitre.org/fe-16.f.1-2.png.html | Telemetry showing cmd.exe executing autoupdate.vbs |
attackevals.mitre.org/ms-16.f.1-1.png.html | Telemetry showing cmd.exe executing autoupdate.vbs as user Kmitnick (tainted by parent PowerShell alerts) |
attackevals.mitre.org/ms-16.d.1-4.png.html | Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many Power... |
attackevals.mitre.org/ms-16.d.1-5.png.html | Parent alert for malicious PowerShell cmdlet tainting powershell.exe (alert was generated on many PowerShell script executions t... |
attackevals.mitre.org/ms-16.d.1-3.png.html | Parent alert for PowerShell with suspicious command-line tainting powershell.exe (alert was generated on many PowerShell script ... |
attackevals.mitre.org/rsa-16-6.png.html | Telemetry showing cmd.exe and executing autoupdate.vbs as user Kmitnick |
attackevals.mitre.org/s1-16.f.1-1.png.html | Telemetry showing cmd.exe launching autoupdate.vbs (tainted by relationship to threat story) |
attack.mitre.org/techniques/T1007/ | T1007 |
attackevals.mitre.org/cb-12.a.d.1-1.png.html | Telemetry from process tree showing net.exe with command-line arguments |
attackevals.mitre.org/ct-12.d.1-1.png.html | Telemetry showing net.exe with command-line arguments (tainted by parent Script File Created alert) |
attackevals.mitre.org/cs-e-6.png.html | Email excerpt from the OverWatch team indicating a malicious script was run (Specific Behavior) |
attackevals.mitre.org/cs-12.d.1-1.png.html | Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red l... |
attackevals.mitre.org/cr-12.d.1-100.png.html | General Behavior alert for net.exe executing with the correct ATT&CK Tactic (System Services Discovery) and Technique (Discovery... |
attackevals.mitre.org/cr-12.d.1-1.png.html | Process tree showing alerted net.exe with correct ATT&CK Technique (System Service Discovery) (tainted by a parent PowerShell al... |
attackevals.mitre.org/eg-12-2.png.html | Telemetry showing route.exe with command-line arguments |
attackevals.mitre.org/eg-12-1.png.html | Event tree view of telemetry showing qprocess.exe with command-line arguments (tainted by parent PowerShell alerts) |
attackevals.mitre.org/fe-12.d.1-1.png.html | Enrichment of net.exe with Net Start Command Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Disco... |
attackevals.mitre.org/ms-12.d.1-2.png.html | Process tree view of \"Suspicious sequence of discovery activities\" alert context with net.exe command-line arguments |
attackevals.mitre.org/ms-12.d.1-1.png.html | Telemetry showing execution sequence of powershell.exe executing net.exe with command-line arguments |
attackevals.mitre.org/ms-12.a.1-3.png.html | General Behavior alert description for \"Suspicious sequence of discovery activities\" |
attackevals.mitre.org/ms-12.e.1-4.png.html | Process tree under alert \"A malicious PowerShell Cmdlet was invoked on the machine\" showing Invoke-Empire and Invoke-WinEnum |
attackevals.mitre.org/rsa-12-1.png.html | Telemetry showing qprocess.exe with command-line arguments |
attackevals.mitre.org/s1-12.a.1-3.png.html | Telemetry showing qprocess.exe with command-line arguments (tainted Group ID not shown but was the search parameter) |
attackevals.mitre.org/s1-12.a.1-1.png.html | Threat story showing initial compromise alert and powershell.exe tainting qprocess.exe |
attackevals.mitre.org/cr-17.a.1-20.png.html | Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert) |
attackevals.mitre.org/cb-16.j.1-1.png.html | Telemetry from process tree showing sc.exe execution to query the AdobeUpdater service on Creeper |
attackevals.mitre.org/cb-16.h.1-3.png.html | Specific Behavior alert on sc.exe executing to create the AdobeUpdater service mapped to ATT&CK |
attackevals.mitre.org/ct-16.j.1-1.png.html | Enrichment showing powershell.exe executing sc.exe query AdobeUpdater service on Creeper (enriched with condition SC QC Reconnai... |
attackevals.mitre.org/cs-e-11.png.html | Email excerpt from the OverWatch team indicating PowerShell retrieved the file wdbypass (Specific Behavior) |
attackevals.mitre.org/cs-16.j.1-1.png.html | Telemetry showing sc.exe execution to query the AdobeUpdater service on Creeper process tree view (tainted from previous powersh... |
attackevals.mitre.org/cr-16.j.1-10.png.html | Telemetry showing sc.exe executing with command-line arguments (tainted by a parent PowerShell alert) |
attackevals.mitre.org/eg-16-14.png.html | Enriched event tree showing enrichment of sc.exe execution with correct ATT&CK Technique (T1050 - New Service) and Tactic (Persi... |
attackevals.mitre.org/fe-16.j.1-1.png.html | Additional details on enrichment of sc.exe with SC Execution alert |
attackevals.mitre.org/fe-16.l.1-1.png.html | Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with correct ATT&CK Technique, T1050 - New Service, an... |
attackevals.mitre.org/ms-16.j.1-1.png.html | Telemetry from CodeRed showing execution sequence of sc.exe service query for AdobeUpdater on Creeper |
attackevals.mitre.org/rsa-16-7.png.html | Telemetry showing execution of sc.exe to create the AdobeUpdater service |
attackevals.mitre.org/s1-16.j.1-1.png.html | Telemetry showing execution of sc.exe to query AdobeUpdater service on Creeper (tainted by relationship to threat story) |
attackevals.mitre.org/cb-2.d.2-2.png.html | Enrichment of net.exe with correct ATT&CK Technique (System Service Discovery) |
attackevals.mitre.org/cb-2.d.2-1.png.html | Telemetry from process tree showing net.exe with command-line arguments |
attackevals.mitre.org/ct-2.d.2-1.png.html | Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cs-2.d.2-1.png.html | Telemetry showing systeminfo |
attackevals.mitre.org/cr-2.d.2-10.png.html | Process tree showing enriched net.exe executing (tainted by a parent Injected Shellcode alert) |
attackevals.mitre.org/cr-2.b.1-10.png.html | Telemetry showing cmd.exe executing systeminfo |
attackevals.mitre.org/eg-02-7.png.html | Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection) |
attackevals.mitre.org/fe-2.d.2-2.png.html | Excerpt from the Managed Defense Report with additional details about net |
attackevals.mitre.org/fe-2.d.2-1.png.html | Enrichment of net.exe with Net Start Command Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Disco... |
attackevals.mitre.org/ms-2.d.2-1.png.html | Telemetry showing execution sequence for net.exe with command-line arguments |
attackevals.mitre.org/ms-2.d.2-2.png.html | Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing net.e... |
attackevals.mitre.org/rsa-02-2.png.html | Additional telemetry showing tasklist.exe with command-line arguments |
attackevals.mitre.org/s1-2.a.1-7.png.html | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) |
attackevals.mitre.org/cb-2.d.1-1.png.html | Enrichment of sc.exe with correct ATT&CK Technique (System Service Discovery) |
attackevals.mitre.org/cb-2.a-all.png.html | Telemetry from process tree showing sc.exe with command-line arguments |
attackevals.mitre.org/ct-2.d.1-1.png.html | Enrichment of sc.exe with condition SC Query Reconnaissance Command (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cs-2.b.1-1.png.html | Telemetry showing tasklist with command-line arguments |
attackevals.mitre.org/cr-2.d.1-10.png.html | Enrichment of sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) (tainted by a parent In... |
attackevals.mitre.org/eg-02-6.png.html | Telemetry showing sc.exe with command-line arguments (tainted by parent Malicious File Detection) |
attackevals.mitre.org/fe-2.d.1-1.png.html | Enrichment of sc.exe with SC Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic... |
attackevals.mitre.org/fe-2.d.1-3.png.html | Excerpt from the Managed Defense Report with additional details about sc |
attackevals.mitre.org/fe-2.d.1-2.png.html | Additional details from enrichment of sc.exe |
attackevals.mitre.org/ms-2.a.1-4.png.html | Process tree view of General Behavior alert on suspicious sequence of exploration activities showing tasklist.exe |
attackevals.mitre.org/ms-2.d.1-1.png.html | Telemetry showing execution sequence for sc.exe with command-line arguments |
attackevals.mitre.org/ms-2.a.1-3.png.html | General Behavior alert on suspicious sequence of exploration activities |
attackevals.mitre.org/s1-2.a.1-6.png.html | Telemetry showing sc.exe with command-line arguments (tainted by relationship to threat story) |
attackevals.mitre.org/eg-12-e-06.png.html | Interactive Shell events showing the WinEnum script and the Available Shares function (does not count as a detection due to manu... |
attackevals.mitre.org/ms-12.e.1-2.png.html | Additional telemetry showing powershell.exe execution sequence resulting from WinEnum |
attackevals.mitre.org/cb-16.h.1-2.png.html | Telemetry showing module loads from execution of sc.exe to remotely query services on Creeper (10.0.0.4) |
attackevals.mitre.org/cb-16.h.1-1.png.html | Telemetry from process tree showing sc.exe execution for the service query |
attackevals.mitre.org/ct-16.h.1-1.png.html | Enrichment showing powershell.exe executing sc.exe to query services on Creeper (enriched with condition SC Query Reconnaissance... |
attackevals.mitre.org/cs-16.h.1-1.png.html | Telemetry from process tree showing sc.exe execution to query services on Creeper (tainted from previous powershell.exe detectio... |
attackevals.mitre.org/cr-16.h.1-10.png.html | Telemetry of sc.exe executing with command-line arguments (tainted by a parent PowerShell alert) |
attackevals.mitre.org/eg-16-12.png.html | Telemetry showing sc.exe execution to query services on Creeper |
attackevals.mitre.org/fe-16.h.1-1.png.html | Additional details on enrichment of sc.exe with SC Execution alert |
attackevals.mitre.org/ms-16.h.1-1.png.html | Telemetry from CodeRed showing execution sequence of sc.exe service query to Creeper |
attackevals.mitre.org/s1-16.h.1-1.png.html | Telemetry showing execution of sc.exe to query services on Creeper (tainted by relationship to threat story) |
attack.mitre.org/techniques/T1222/ | T1222 |
attackevals.mitre.org/cb-17.b.1-1.png.html | Telemetry from process tree showing takeown.exe with command-line arguments |
attackevals.mitre.org/ct-17.b.1-1.png.html | Telemetry showing powershell.exe executing takeown.exe (tainted by the parent \"New Windows service created\" alert) |
attackevals.mitre.org/cs-17.b.1-1.png.html | Telemetry from process tree view showing execution of takeown.exe (tainted by previous powershell.exe detection by red line indi... |
attackevals.mitre.org/cr-17.b.1-10.png.html | General Behavior alert for takeown.exe performing activity related to swapping an accessibility features binary (tainted by a pa... |
attackevals.mitre.org/fe-17.b.1-1.png.html | Enrichment of takeown.exe with Takeown Execution alert |
attackevals.mitre.org/ms-17.b.1-1.png.html | Telemetry showing takeown.exe execution with magnify.exe in command-line arguments |
attackevals.mitre.org/s1-17.a.1-1.png.html | Enrichment showing takeown.exe execution (tainted by prior lateral movement alert by Group ID) |
attackevals.mitre.org/cb-17.b.2-1.png.html | Telemetry from process tree showing icacls.exe with command-line arguments |
attackevals.mitre.org/ct-17.b.2-1.png.html | Telemetry showing powershell.exe executing icacls.exe (tainted by the parent \"New Windows service created\" alert) |
attackevals.mitre.org/cs-17.b.2-1.png.html | Telemetry from process tree view showing execution of icacls.exe (tainted by previous powershell.exe detection by red line indic... |
attackevals.mitre.org/cr-17.b.2-10.png.html | Telemetry showing icacls.exe executing with command-line arguments (tainted by a parent PowerShell alert) |
attackevals.mitre.org/fe-17.b.2-1.png.html | Enrichment of icacls.exe with Icacls Execution alert |
attackevals.mitre.org/ms-17.b.2-1.png.html | Telemetry showing icacls.exe execution with magnify.exe in command-line arguments |
attackevals.mitre.org/s1-17.a.1-3.png.html | Telemetry showing icacls.exe execution (tainted by prior lateral movement alert by Group ID) |
attack.mitre.org/techniques/T1036/ | T1036 |
attackevals.mitre.org/cb-19.a.1-1.png.html | Telemetry showing filemod (file modification) creation of recycler.exe |
attackevals.mitre.org/cb-19.a.1-2.png.html | Binary metadata showing recycler.exe is WinRAR.exe based on digital signature and file version information |
attackevals.mitre.org/cs-19.a.1-2.png.html | Telemetry showing SHA256 hash of recycler.exe |
attackevals.mitre.org/cr-19.a.1-100.png.html | Telemetry showing recycler.exe identified as WinRAR via file metadata (tainted by a parent PowerShell alert) |
attackevals.mitre.org/fe-19.a.1-1.png.html | Enrichment of powershell.exe writing recycler.exe with PowerShell File Write alert (tagged with correct ATT&CK Technique, T1105 ... |
attackevals.mitre.org/fe-19.a.1-3.png.html | Excerpt from the Managed Defense Report indicating the attacker executed recycler.exe to create an encrypted RAR file (Specific ... |
attackevals.mitre.org/fe-19.a.1-2.png.html | Continued enrichment of powershell.exe writing recycler.exe with PowerShell File Write alert |
attackevals.mitre.org/ms-19.a.1-1.png.html | Telemetry showing file creation of recycler.exe by powershell.exe showing hash and signer information as win.rar GmbH |
attackevals.mitre.org/ms-19.a.1-2.png.html | Binary reputation and metadata for recycler.exe showing WinRAR information |
attackevals.mitre.org/s1-19.a.1-1.png.html | Telemetry showing file write of recycler.exe |
attackevals.mitre.org/s1-19.a.1-2.png.html | Telemetry exported from threat story showing execution of recycler.exe was tainted by prior activity because it was under the sa... |
attackevals.mitre.org/cb-16.i.1-2.png.html | Telemetry from process tree showing sc.exe execution setting the AdobeUpdater service description |
attackevals.mitre.org/cb-16.i.1-1.png.html | Telemetry from process tree showing sc.exe execution creating the AdobeUpdater service |
attackevals.mitre.org/ct-16.i.1-1.png.html | Telemetry showing powershell.exe executing sc.exe to create the AdobeUpdater service on Creeper and set its description (tainted... |
attackevals.mitre.org/cs-16.h.1-3.png.html | Telemetry from process tree showing sc.exe execution with the AdobeUpdater service description (tainted from previous powershell... |
attackevals.mitre.org/cs-16.h.1-4.png.html | Telemetry showing AdobeUpdater service details with binPath pointed to cmd.exe with arguments and service description |
attackevals.mitre.org/cr-16.i.1-21.png.html | Telemetry showing sc.exe executing with command-line arguments (tainted by a parent PowerShell alert) |
attackevals.mitre.org/fe-16.i.1-1.png.html | Additional details on enrichment of sc.exe with SC Execution alert |
attackevals.mitre.org/ms-16.i.1-1.png.html | Telemetry from CodeRed showing execution sequence of sc.exe AdobeUpdater remote service creation |
attackevals.mitre.org/s1-16.i.1-1.png.html | Telemetry showing execution of sc.exe to create the AdobeUpdater service (tainted by prior threat story) |
attackevals.mitre.org/cb-19.b.1-5.png.html | Specific Behavior alert for recycler.exe masquerading as a renamed WinRAR process |
attackevals.mitre.org/ct-19.b.1-1.png.html | Enrichment showing recycler.exe creating old.rar (enriched with \"Data Exfiltration Archiving\", tainted by parent \"Powershell ... |
attackevals.mitre.org/ct-19.b.1-3.png.html | Telemetry showing recycler.exe with full command-line (tainted by parent \"Powershell executed encoded commands\" and \"Policy D... |
attackevals.mitre.org/cs-19.b.1-1.png.html | Specific Behavior alert on RAR archive written (mapped to correct ATT&CK Technique, Data Compressed, and Tactic, Exfiltration; t... |
attackevals.mitre.org/cs-e-12.png.html | Email excerpt from the OverWatch team indicating they observed a Windows logon bypass (General Behavior) |
attackevals.mitre.org/cs-19.b.1-3.png.html | Additional details of recycler.exe from the alert showing it was signed by win.rar GmbH |
attackevals.mitre.org/cr-19.b.1-20.png.html | Telemetry showing recycler.exe execution (tainted by a parent PowerShell alert) |
attackevals.mitre.org/eg-19-1.png.html | Enriched event tree showing enrichment of recycler.exe and creation of old.rar output with related ATT&CK Technique (T1022 - Dat... |
attackevals.mitre.org/eg-19-4.png.html | Specific Behavior alert for the execution of recycler.exe named \"Exfiltration-Encrypting Files with WinRar\" (tainted by Window... |
attackevals.mitre.org/fe-19.b.1-2.png.html | Enrichment of -hp command line with Possible Encrypted RAR Archive Command alert (tagged with correct ATT&CK Technique, T1002 - ... |
attackevals.mitre.org/fe-19.b.1-3.png.html | Enrichment of RAR file write with RAR Archive Created alert (tagged with correct ATT&CK Technique, T1002 - Data Compressed, and ... |
attackevals.mitre.org/fe-19.b.1-1.png.html | General Behavior alert for Execution from Suspicious Directory |
attackevals.mitre.org/fe-19.b.1-4.png.html | General Behavior alert for File Write To Root Of Recycle Bin |
attackevals.mitre.org/fe-19.b.1-5.png.html | Enrichment of RAR file write with RAR Archive Created alert (tagged with correct ATT&CK Technique, T1002 - Data Compressed, and ... |
attackevals.mitre.org/ms-19.b.1-1.png.html | Telemetry showing execution of recycler.exe with command-line arguments for file encryption and compression |
attackevals.mitre.org/ms-19.a.1-3.png.html | Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance ... |
attackevals.mitre.org/rsa-19-1.png.html | Telemetry showing execution of recycler.exe with command-line arguments |
attackevals.mitre.org/s1-19.b.1-1.png.html | Telemetry showing the execution of recycler.exe |
attack.mitre.org/techniques/T1035/ | T1035 |
attackevals.mitre.org/cb-16.l.1-1.png.html | Telemetry from process tree showing sc.exe execution to start the AdobeUpdater service on Creeper |
attackevals.mitre.org/ct-16.l.1-1.png.html | Telemetry showing powershell.exe executing sc.exe start AdobeUpdater service on Creeper (tainted by the parent \"Powershell exec... |
attackevals.mitre.org/ct-16.l.1-2.png.html | Telemetry showing AdobeUpdater service starting on Creeper (tainted by the parent \"\"New Windows service created\"\" alert) |
attackevals.mitre.org/cs-16.l.1-1.png.html | Telemetry showing sc start in the process tree view (tainted from previous powershell.exe detection by red line indicating high ... |
attackevals.mitre.org/cr-16.l.1-12.png.html | Telemetry showing cmd.exe executing update.vbs |
attackevals.mitre.org/cr-16.l.1-100.png.html | Telemetry showing sc.exe executing the service (tainted by a parent PowerShell alert) |
attackevals.mitre.org/eg-16-15.png.html | Specific Behavior alert \"Service Command Lateral Movement\" for the start of AdobeUpdater service on Creeper tagged with correc... |
attackevals.mitre.org/fe-16.i.1-3.png.html | Excerpt from the Managed Defense Report indicating sc.exe was used to create a new service (Specific Behavior) |
attackevals.mitre.org/ms-16.l.1-2.png.html | Telemetry showing service execution on Creeper and new Empire connection to www.freegoogleadsenseinfo.com (C2 domain) (C2 alert ... |
attackevals.mitre.org/ms-16.l.1-3.png.html | Specific Behavior alert showing successful remote AdobeUpdater service execution attempt from CodeRed to Creeper |
attackevals.mitre.org/ms-16.l.1-1.png.html | Telemetry from CodeRed showing execution sequence of sc.exe service start for AdobeUpdater on Creeper |
attackevals.mitre.org/rsa-16-8.png.html | Telemetry showing the execution of update.vbs on 10.0.0.4 (Creeper) |
attackevals.mitre.org/rsa-16-9.png.html | Telemetry showing the execution of sc.exe to start the AdobeUpdater service on 10.0.0.4 (Creeper) |
attackevals.mitre.org/s1-16.l.1-1.png.html | Telemetry showing execution of sc.exe to start the AdobeUpdater service on Creeper (tainted by relationship to threat story) |
attackevals.mitre.org/s1-16.g.1-1.png.html | Lateral movement alert generated by the remote service start on Creeper |
attack.mitre.org/techniques/T1033/ | T1033 |
attackevals.mitre.org/cb-2.b.1-1.png.html | Telemetry from process tree showing echo with command-line arguments |
attackevals.mitre.org/ct-2.b.1-1.png.html | Telemetry showing echo with command-line arguments (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cr-2.b.1-100.png.html | Telemetry showing cmd.exe executing echo with command-line arguments (tainted by a parent Injected Shellcode alert) |
attackevals.mitre.org/eg-02-4.png.html | Telemetry showing echo with command-line arguments (tainted by parent Malicious File Detection) |
attackevals.mitre.org/fe-2.b.1-3.png.html | Excerpt from the Managed Defense Report with additional details about echo |
attackevals.mitre.org/fe-2.b.1-1.png.html | Telemetry showing echo with command-line arguments |
attackevals.mitre.org/ms-2.b.1-1.png.html | Telemetry showing execution sequence for echo with command-line arguments |
attackevals.mitre.org/ms-2.a.1-5.png.html | Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing echo ... |
attackevals.mitre.org/rsa-02-1.png.html | Telemetry showing tasklist.exe with command-line arguments |
attackevals.mitre.org/s1-2.a.1-4.png.html | Telemetry showing echo with command-line arguments (tainted by relationship to threat story) |
attackevals.mitre.org/cb-20.b.1-2.png.html | Three alerts (one Specific Behavior and two General Behavior alerts) from execution of magnify.exe showing red severity scores |
attackevals.mitre.org/cb-20.b.1-1.png.html | Telemetry from process tree telemetry showing magnify.exe execution |
attackevals.mitre.org/ct-20.b.1-1.png.html | Telemetry showing magnify.exe (tainted by the parent POS Interactive Login Event alert) |
attackevals.mitre.org/cs-20.b.1-1.png.html | Telemetry from process tree showing magnify.exe child process whoami.exe (tainted by pink line indicating critical severity) |
attackevals.mitre.org/cr-20.b.1-10.png.html | Specific Behavior alert for whoami.exe execution with the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Dis... |
attackevals.mitre.org/eg-20-1.png.html | Specific Behavior alert on Windows File Name Mismatch showing magnify.exe was renamed from cmd.exe and tagged with correct ATT&C... |
attackevals.mitre.org/eg-20-2.png.html | Enrichment of magnify.exe with correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Defense Evasion, Execution... |
attackevals.mitre.org/fe-20.a.1-5.png.html | Specific Behavior alert for Accessibility Features Child Process due to magnify.exe spawning whoami.exe (tagged with the correct... |
attackevals.mitre.org/fe-20.a.1-6.png.html | Enrichment of whoami.exe with Whoami Execution alert (tagged with correct ATT&CK Technique, T1033 - System Owner/User Discovery,... |
attackevals.mitre.org/ms-20.a.1-1.png.html | Telemetry showing sequence of magnify.exe executing from utilman.exe |
attackevals.mitre.org/ms-20.a.1-4.png.html | Specific Behavior alert on sticky keys binary hijack of magnify.exe |
attackevals.mitre.org/rsa-20-1.png.html | Telemetry showing magnify.exe execution |
attackevals.mitre.org/s1-20.b.1-1.png.html | Telemetry showing magnify.exe execution (identified as Windows Command Processor) |
attackevals.mitre.org/cb-12.b.1-1.png.html | Telemetry from process tree showing whoami.exe with command-line arguments |
attackevals.mitre.org/cb-12.b.1-2.png.html | Enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery) |
attackevals.mitre.org/ct-12.b.1-1.png.html | Enrichment of whoami.exe with condition Whoami Reconnaissance Command (tainted by parent Script File Created alert) |
attackevals.mitre.org/cs-12.b.1-1.png.html | OverWatch General Behavior alert and telemetry indicating whoami.exe with command-line arguments was suspicious (tainted from pr... |
attackevals.mitre.org/cr-12.b.1-1.png.html | Enrichment of whoami.exe executing as Reconnaissance and the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User ... |
attackevals.mitre.org/cr-12.b.1-2.png.html | Enrichment of qprocess.exe executing with labels for Reconnaissance and Local process discovery |
attackevals.mitre.org/fe-12.b.1-1.png.html | Enrichment of whoami.exe with Whoami Execution (tagged with correct ATT&CK Technique, T1033 - System Owner/User Discovery, and T... |
attackevals.mitre.org/ms-12.b.1-1.png.html | Telemetry showing execution sequence of powershell.exe executing whoami.exe with command-line arguments |
attackevals.mitre.org/ms-12.a.1-4.png.html | Process tree view of \"Suspicious sequence of exploration activities\" alert showing tainted powershell.exe process |
attackevals.mitre.org/s1-12.a.1-2.png.html | Continued threat story showing initial compromise alert and powershell.exe tainting route.exe |
attackevals.mitre.org/eg-12-e-02.png.html | Interactive Shell events showing the WinEnum script and the Get-UserInfo function (does not count as a detection due to manual p... |
attack.mitre.org/techniques/T1032/ | T1032 |
attackevals.mitre.org/cb-11.b.1-2.png.html | Telemetry showing modloads and certificate check |
attackevals.mitre.org/ct-11.b.1-1.png.html | Telemetry showing powershell.exe making a network connection over TCP port 443 |
attackevals.mitre.org/cs-11.b.1-1.png.html | Telemetry showing powershell.exe making a network connection over port 443 (tainted by parent powershell.exe high severity alert... |
attackevals.mitre.org/cr-11.b.1-11.png.html | Telemetry showing powershell.exe making outgoing connection to 192.168.0.5 (C2 Server) over port TCP port 443 (tainted by a pare... |
attackevals.mitre.org/cr-11.a.1-13.png.html | Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert) |
attackevals.mitre.org/eg-11-2.png.html | Telemetry showing decoded powershell.exe command-line arguments (tainted by parent alert) |
attackevals.mitre.org/eg-11-6.png.html | Event tree view of Specific Behavior alert for \"Command and Control PowerShell Network\"(tainted by parent alert) |
attackevals.mitre.org/fe-11.b.1-4.png.html | Additional excerpt from the Managed Defense Report indicating Empire was configured to communicate over port 443 (General Behavi... |
attackevals.mitre.org/ms-11.b.1-3.png.html | Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over an encrypted channel |
attackevals.mitre.org/ms-11.b.1-4.png.html | Telemetry within alert showing decoded command-line arguments containing port 443 and tainted relationship to the powershell.exe... |
attackevals.mitre.org/rsa-11-2.png.html | Telemetry showing network connections, including over port 443 (does not count as a detection) |
attackevals.mitre.org/s1-11.b.1-1.png.html | Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over TCP port 443 (Group ID tainted the event but was ... |
attack.mitre.org/techniques/T1201/ | T1201 |
attackevals.mitre.org/eg-12-e-03.png.html | Interactive Shell events showing the WinEnum script and the AD Group Memberships function (does not count as a detection due to ... |
attack.mitre.org/techniques/T1016/ | T1016 |
attackevals.mitre.org/cb-12.a.2-1.png.html | Telemetry from process tree showing ipconfig.exe with command-line arguments |
attackevals.mitre.org/cb-12.a.1-1.png.html | Enrichment of ipconfig.exe with correct ATT&CK Technique (T1049 - System Network Configuration Discovery) |
attackevals.mitre.org/ct-12.a.2-1.png.html | Enrichment of ipconfig.exe with condition Ipconfig All Reconnaissance Command (tainted by parent Script File Created alert) |
attackevals.mitre.org/cs-12.a.1-2.png.html | Telemetry from process tree showing ipconfig.exe with command-line arguments (tainted from previous powershell.exe detection by ... |
attackevals.mitre.org/cr-12.a.2-1.png.html | Enrichment of ipconfig.exe executing with correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discover... |
attackevals.mitre.org/fe-12.a.2-1.png.html | Enrichment of ipconfig.exe with Ipconfig Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configura... |
attackevals.mitre.org/ms-12.a.1-2.png.html | Telemetry showing execution sequence of powershell.exe executing ipconfig.exe with command-line arguments |
attackevals.mitre.org/cb-4.b.1-1.png.html | Telemetry from process tree showing netsh.exe with command-line arguments |
attackevals.mitre.org/cb-4.b.1-2.png.html | Enrichment of netsh.exe with related ATT&CK technique (T1063 - Security Software Discovery) and tag for Potential Windows Firewa... |
attackevals.mitre.org/ct-4.b.1-1.png.html | Telemetry showing netsh.exe with command-line arguments (tainted by the parent \"Powershell Execution Policy ByPass command ran\... |
attackevals.mitre.org/cs-4.b.1-1.png.html | OverWatch General Behavior alert indicating netsh execution by cmd.exe was suspicious |
attackevals.mitre.org/cr-4.b.1-10.png.html | Enrichment of netsh.exe executing with correct ATT&CK Tactic (Discovery) and related Technique (Security Software Discovery) (ta... |
attackevals.mitre.org/eg-04-1.png.html | Telemetry from event tree showing netstat with command-line arguments |
attackevals.mitre.org/fe-4.b.1-1.png.html | Enrichment of netsh.exe with Netsh Execution alert (tagged with related ATT&CK Technique, T1063 - Security Software Discovery, a... |
attackevals.mitre.org/fe-4.b.1-2.png.html | Excerpt from the Managed Defense Report with additional details about netsh |
attackevals.mitre.org/ms-4.b.1-1.png.html | Telemetry showing execution sequence for netsh.exe with command-line arguments |
attackevals.mitre.org/ms-4.a.1-2.png.html | Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing th... |
attackevals.mitre.org/rsa-04-1.png.html | Telemetry showing netstat.exe with command-line arguments |
attackevals.mitre.org/s1-4.a.1-2.png.html | Telemetry showing netstat.exe with command-line arguments (tainted by relationship to threat story) |
attackevals.mitre.org/cb-12.a.1-2.png.html | Telemetry from process tree showing route.exe with command-line arguments |
attackevals.mitre.org/ct-12.a.1-1.png.html | Enrichment of route.exe with conditions Reconnaissance Tool and Route Spawned with Reconnaissance (tainted by the parent Script ... |
attackevals.mitre.org/cs-12.a.1-1.png.html | Telemetry from process tree showing route.exe with command-line arguments (tainted from previous powershell.exe detection by red... |
attackevals.mitre.org/cr-12.a.1-1.png.html | Telemetry showing route.exe executing with command-line arguments (tainted by a parent PowerShell alert) |
attackevals.mitre.org/fe-12.a.1-1.png.html | Enrichment of route.exe with Route Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration D... |
attackevals.mitre.org/ms-12.a.1-1.png.html | Telemetry showing execution sequence of powershell.exe executing route.exe with command-line arguments |
attackevals.mitre.org/cb-2.a.2-2.png.html | Enrichment of arp.exe with related ATT&CK Technique (T1018 - Remote System Discovery) |
attackevals.mitre.org/cb-2.a.2-1.png.html | Telemetry from process tree showing arp.exe with command-line arguments |
attackevals.mitre.org/ct-2.a.2-1.png.html | Telemetry showing arp.exe with command-line arguments (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cs-2.a.2-1.png.html | Telemetry showing arp with command-line arguments |
attackevals.mitre.org/cr-2.a.2-10.png.html | Telemetry showing tasklist.exe executing within the process tree (tainted by a parent Injected Shellcode alert) |
attackevals.mitre.org/cr-2.a.2-5.png.html | Telemetry showing cmd.exe executing arp with command-line arguments |
attackevals.mitre.org/eg-02-3.png.html | Telemetry showing arp.exe with command-line arguments (tainted by parent Malicious File Detection) |
attackevals.mitre.org/fe-2.a.1-2.png.html | Enrichment of arp.exe with Arp Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Disco... |
attackevals.mitre.org/fe-2.a.1-5.png.html | Excerpt from the Managed Defense Report with additional details about arp.exe execution |
attackevals.mitre.org/ms-2.a.1-6.png.html | Process tree view of General Behavior alert on suspicious sequence of exploration activities showing arp.exe |
attackevals.mitre.org/ms-2.a.1-2.png.html | Telemetry showing execution sequence for arp.exe with command-line arguments |
attackevals.mitre.org/s1-2.a.2-1.png.html | Telemetry showing arp.exe with command-line arguments (tainted by relationship to threat story) |
attackevals.mitre.org/cb-2.a.1-1.png.html | Telemetry from process tree showing ipconfig.exe with command-line arguments |
attackevals.mitre.org/cb-2.a.1-2.png.html | Enrichment of ipconfig.exe with correct ATT&CK Technique (T1016 - System Network Configuration Discovery) |
attackevals.mitre.org/ct-2.a.1-1.png.html | Enrichment of ipconfig.exe with condition Ipconfig All Reconnaissance Command (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cs-2.a.1-2.png.html | Telemetry showing ipconfig with command-line arguments |
attackevals.mitre.org/cr-2.a.1-10.png.html | Enrichment of ipconfig.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Disc... |
attackevals.mitre.org/eg-02-1.png.html | Unusual Child Processes of RunDLL32 General Behavior alert caused by ipconfig.exe (tainted by parent Malicious File Detection) |
attackevals.mitre.org/eg-02-2.png.html | Telemetry showing ipconfig.exe with command-line arguments (tainted by parent Malicious File Detection) |
attackevals.mitre.org/fe-2.a.1-4.png.html | Excerpt from the Managed Defense Report with additional details about ipconfig.exe execution |
attackevals.mitre.org/fe-2.a.1-1.png.html | Enrichment of ipconfig.exe with Ipconfig Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configura... |
attackevals.mitre.org/ms-2.a.1-1.png.html | Telemetry showing execution sequence for ipconfig.exe with command-line arguments |
attackevals.mitre.org/s1-2.a.1-3.png.html | Telemetry showing ipconfig.exe with command-line arguments (tainted by relationship to threat story) |
attackevals.mitre.org/eg-12-e-10.png.html | Interactive Shell events showing the WinEnum script and the Netstat Established Connections and Processes function (does not cou... |
attackevals.mitre.org/s1-12.e.1-3.png.html | Telemetry showing powershell.exe WMI queries for antivirus product information (tainted by relationship to threat story) |
attackevals.mitre.org/s1-12.e.1-2.png.html | Enrichment of powershell.exe with action \"attempted to find other installed security software\" (tainted Group ID not shown but... |
attack.mitre.org/techniques/T1204/ | T1204 |
attackevals.mitre.org/cb-1.a.1-2.png.html | Telemetry from process tree showing Resume Viewer.exe execution sequence with rundll32.exe |
attackevals.mitre.org/cb-1.a.1-1.png.html | Enrichment of cmd.exe executing pdfhelper.cmd with correct ATT&CK Technique (T1064 - Scripting) |
attackevals.mitre.org/ct-1.a.1-2.png.html | Telemetry showing Resume Viewer.exe running (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cs-1.a.1-1.png.html | Machine Learning General Behavior alert showing execution of Resume Viewer.exe and detection as malicious |
attackevals.mitre.org/cr-1.a.1-11.png.html | General Behavior alert for explorer.exe executing Resume Viewer.exe, identified as a known malicious file |
attackevals.mitre.org/cr-1.a.1-10.png.html | General Behavior alert identifying Resume Viewer.exe as unknown malware |
attackevals.mitre.org/cr-1.a.1-100.png.html | Telemetry showing Resume Viewer.exe running as a process (tainted by parent alert on explorer.exe) |
attackevals.mitre.org/eg-01-2.png.html | Event tree view showing the Malicious File Detection alert tainting rundll32.exe telemetry |
attackevals.mitre.org/eg-01-1.png.html | Malicious File Detection General Behavior alert on Resume Viewer.exe execution and surrounding telemetry |
attackevals.mitre.org/fe-1.a.1-5.png.html | Telemetry showing Resume Viewer.exe being executed by explorer.exe |
attackevals.mitre.org/fe-1.a.1-1.png.html | General Behavior alert showing Resume Viewer.exe labeled as Malware (alert triggered after configuration change) |
attackevals.mitre.org/ms-1.a.1-8.png.html | Exploit Guard audit of Resume Viewer.exe |
attackevals.mitre.org/ms-1.a.1-4.png.html | Telemetry showing execution of pdfhelper.cmd and update.dat |
attackevals.mitre.org/ms-1.a.1-5.png.html | Telemetry showing execution of decoy PDF by MicrosoftPdfReader.exe |
attackevals.mitre.org/ms-1.a.1-6.png.html | Telemetry showing Resume Viewer.exe binary and process metadata |
attackevals.mitre.org/ms-1.a.1-7.png.html | Telemetry showing Resume Viewer.exe binary reputation |
attackevals.mitre.org/ms-1.a.1-1.png.html | Telemetry showing execution of Resume Viewer.exe from explorer.exe and dropping pdfhelper.cmd and autoupdate.bat |
attackevals.mitre.org/ms-1.a.1-2.png.html | Telemetry showing write of pdfhelper.cmd |
attackevals.mitre.org/ms-1.a.1-3.png.html | Telemetry showing write of autoupdate.bat |
attackevals.mitre.org/rsa-01-1.png.html | Telemetry showing cmd.exe \"rename to executable\" event for autoupdate.bat in Startup folder |
attackevals.mitre.org/s1-1.a.1-1.png.html | Telemetry from process tree showing rundll32.exe (tainted by relationship to threat story) |
attackevals.mitre.org/s1-1.a.1-2.png.html | General Behavior alert for execution of Resume Viewer.exe as a suspicious file |
attack.mitre.org/techniques/T1039/ | T1039 |
attackevals.mitre.org/ct-18.b.1-1.png.html | Telemetry showing PowerShell copying .vsdx file from network share to Recycle Bin (tainted by the parent \"Powershell executed e... |
attackevals.mitre.org/ms-18.b.1-1.png.html | Execution sequence showing PowerShell Copy-Item cmdlet execution (does not count as a detection) |
attackevals.mitre.org/s1-18.b.1-1.png.html | Exported telemetry of threat story (taints event) showing .vsdx file copy and write |
attackevals.mitre.org/cr-9.b.1-20.png.html | Telemetry showing a port 445 connection between Nimda (10.0.1.6) and the source of the file on Conficker (10.0.0.5) (does not co... |
attackevals.mitre.org/eg-09-3.png.html | Telemetry showing .vsdx file creation, but no indication of network shared drive (does not count as a detection) |
attackevals.mitre.org/s1-9.b.1-1.png.html | Telemetry showing .vsdx file access from WormShare on the network shared drive |
attack.mitre.org/techniques/T1055/ | T1055 |
attackevals.mitre.org/cb-3.c.1-3.png.html | Telemetry showing CreateRemoteThread API call used for thread injection into cmd.exe |
attackevals.mitre.org/cb-3.c.1-2.png.html | Telemetry showing open handles and thread injection into cmd.exe |
attackevals.mitre.org/cb-3.c.1-1.png.html | Specific Behavior alert mapped to correct ATT&CK Technique (T1055 - Process Injection) |
attackevals.mitre.org/ct-3.c.1-1.png.html | Specific Behavior alert for DLL injection detection labeled with Process Hijacking and Privilege Escalation (tainted by the pare... |
attackevals.mitre.org/cs-3.c.1-2.png.html | Telemetry showing process tree view of Process Injection Specific Behavior alert and OverWatch General Behavior alert tainted by... |
attackevals.mitre.org/cs-3.c.1-1.png.html | Specific Behavior Process Injection alert mapped to correct ATT&CK Technique (Process Injection) and Tactic (Defense Evasion) as... |
attackevals.mitre.org/cr-3.c.1-10.png.html | Alert for malicious code injection into PowerShell (does not count as a detection) |
attackevals.mitre.org/cr-3.c.1-100.png.html | Specific Behavior alert for PowerShell injection into cmd.exe mapped to ATT&CK Tactic (Defense Evasion) and Technique (Process I... |
attackevals.mitre.org/eg-03-2.png.html | Specific Behavior alert for process injection into cmd.exe |
attackevals.mitre.org/fe-3.c.1-2.png.html | Continued excerpt from the Managed Defense Report showing the artifact evidence of a process injection from PowerShell.exe to cm... |
attackevals.mitre.org/fe-3.c.1-1.png.html | Excerpt from the Managed Defense Report identifying a process injection from PowerShell.exe to cmd.exe (Specific Behavior) |
attackevals.mitre.org/ms-3.c.1-4.png.html | Telemetry showing process injection activity audited by Exploit Guard |
attackevals.mitre.org/ms-3.c.1-1.png.html | Enrichment of powershell.exe injecting into cmd.exe |
attackevals.mitre.org/ms-3.c.1-2.png.html | Alert for \'Suspicious PowerShell command-line\' showing tainted association via a process tree containing svchost.exe and eleva... |
attackevals.mitre.org/ms-3.c.1-3.png.html | Specific Behavior alert showing powershell.exe process injection |
attackevals.mitre.org/rsa-03-2.png.html | Alert for powershell.exe execution with encoded command-line arguments (does not count as a detection) |
attackevals.mitre.org/s1-3.c.1-2.png.html | Telemetry showing powershell.exe injecting into cmd.exe (Group ID tainted this event but was not shown in this view) |
attackevals.mitre.org/cb-8.d.1-1.png.html | Telemetry showing modloads and crossprocess events (does not count as a detection) |
attackevals.mitre.org/ct-8.d.1-1.png.html | Telemetry showing remote thread being created into explorer.exe (does not count as a detection) |
attackevals.mitre.org/cs-8.d.1-2.png.html | Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890) (does not coun... |
attackevals.mitre.org/cr-8.d.1-20.png.html | Specific Behavior alert for Malicious code injection to explorer.exe with correct ATT&CK Tactic (Defense Evasion, Privilege Esca... |
attackevals.mitre.org/cr-8.d.1-21.png.html | Specific Behavior alert for process injection explorer.exe rolled into chain of injections |
attackevals.mitre.org/eg-08-3.png.html | Event tree showing process injection Specific Behavior alert (last alert in the view, ID 2561310) (tainted by parent Malicious F... |
attackevals.mitre.org/ms-8.d.1-2.png.html | Enrichment of execution sequence showing cmd.exe injecting into explorer.exe (labeled \"Inject to process\") |
attackevals.mitre.org/rsa-08-4.png.html | Floating Code module generated from DLL injection showing multiple jpeg components (does not count as a detection) |
attackevals.mitre.org/s1-8.d.1-1.png.html | Telemetry showing powershell.exe injecting into explorer.exe (Group ID tainted this event but was not shown in this view) |
attackevals.mitre.org/cb-5.a.1-1.png.html | Telemetry showing cross process events, specifically a handle to open thread into lsass.exe |
attackevals.mitre.org/ct-5.a.1-1.png.html | Alert showing DDNA Scan for svchost.exe (does not count as a detection) |
attackevals.mitre.org/ct-5.a.1-3.png.html | Alert showing additional DDNA Scan details for svchost.exe, including that it appears to inject code into another process (does ... |
attackevals.mitre.org/ct-5.a.1-2.png.html | Alert showing DDNA Scan details for svchost.exe, including that it appears to inject code into another process (does not count a... |
attackevals.mitre.org/cs-5.a.1-8.png.html | Enrichment showing ReflectiveDllOpenLsass and ProcessHollowingDetected events |
attackevals.mitre.org/cr-5.a.1-11.png.html | Specific Behavior alert with correct ATT&CK Tactic (Credential Access) and related Technique (Process Injection) with details ab... |
attackevals.mitre.org/cr-5.a.1-21.png.html | Data within alert showing loaded powerkatz.dll as floating executable code |
attackevals.mitre.org/eg-05-1.png.html | Specific Behavior alert mapped to the correct ATT&CK Technique (Credential Dumping) |
attackevals.mitre.org/ms-5.a.1-1.png.html | Process tree for sensitive credential memory read alert |
attackevals.mitre.org/ms-5.a.1-3.png.html | Enrichment showing Exploit Guard audit of svchost.exe extracting credentials from lsass.exe |
attackevals.mitre.org/ms-5.a.2-2.png.html | Alert for process injection into lsass.exe tainting this event (inner failure message in screenshot not relevant to tested funct... |
attackevals.mitre.org/cb-5.a.2-4.png.html | Specific Behavior alert showing correct ATT&CK Technique (Process Injection) |
attackevals.mitre.org/cb-5.a.2-1.png.html | Alert showing correct ATT&CK Technique (Process Injection) within process tree |
attackevals.mitre.org/cb-5.a.2-2.png.html | Telemetry showing cross process events, specifically a handle to open thread into lsass.exe |
attackevals.mitre.org/ct-5.a.2-2.png.html | Telemetry showing thread create to lsass.exe (tainted by the parent \"Powershell process created\" and \"Policy Remote Process C... |
attackevals.mitre.org/ct-5.a.2-3.png.html | General Behavior alert showing DDNA Scan for svchost.exe |
attackevals.mitre.org/ct-5.a.2-5.png.html | General Behavior alert details on DDNA Scan for svchost.exe, including that it appears to inject code into another process |
attackevals.mitre.org/cs-5.a.2-5.png.html | Enrichment showing ReflectiveDllOpenLsass, ProcessHollowingDetected, and LsassInjectedCode events |
attackevals.mitre.org/cr-5.a.2-10.png.html | Parent alert for svchost.exe injecting into lsass.exe, labeled as Malicious Code Injection |
attackevals.mitre.org/cr-5.a.2-20.png.html | Telemetry showing svchost.exe process injection into lsass.exe (tainted by a parent injection alert) |
attackevals.mitre.org/cr-5.a.2-11.png.html | Telemetry within alert showing loaded hashdumpx64.dll as floating executable code |
attackevals.mitre.org/eg-05-2.png.html | Specific Behavior alert mapped to the correct ATT&CK Technique (Credential Dumping) |
attackevals.mitre.org/eg-05-5.png.html | Specific Behavior alert mapped to the correct ATT&CK Technique (Process Injection) |
attackevals.mitre.org/ms-5.a.2-1.png.html | Enrichment showing Exploit Guard audit of svchost.exe extracting credentials from lsass.exe |
attackevals.mitre.org/s1-5.a.2-1.png.html | Telemetry showing powershell.exe invoking a remote thread into lsass.exe (Group ID tainted this event but was not shown in this ... |
attack.mitre.org/techniques/T1018/ | T1018 |
attackevals.mitre.org/cb-13.a.1-2.png.html | Enrichment of netstat.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery) |
attackevals.mitre.org/cb-13.a.1-1.png.html | Telemetry showing process tree with net.exe and command-line arguments |
attackevals.mitre.org/ct-13.a.1-1.png.html | Enrichment of net.exe with condition Net Group Reconnaissance Command (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cs-13.a.1-1.png.html | Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) (tainted by previous powe... |
attackevals.mitre.org/cs-13.a.1-2.png.html | Telemetry from process tree showing net.exe with command-line arguments (tainted by previous powershell.exe detection by red lin... |
attackevals.mitre.org/cr-13.a.1-100.png.html | General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Remote System Discovery) and Technique (Discovery) |
attackevals.mitre.org/cr-13.a.1-10.png.html | Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert) |
attackevals.mitre.org/eg-13-2.png.html | Telemetry from event tree showing with net.exe with command-line arguments (tainted by parent alert) |
attackevals.mitre.org/fe-13.a.1-1.png.html | Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1018 -Remote System Discove... |
attackevals.mitre.org/ms-13.a.1-2.png.html | Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-li... |
attackevals.mitre.org/ms-13.a.1-3.png.html | Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific netstat.exe... |
attackevals.mitre.org/ms-13.a.1-1.png.html | Telemetry showing execution of net.exe with command-line arguments |
attackevals.mitre.org/cb-4.a.1-2.png.html | Enrichment of net.exe with related ATT&CK technique (Account Discovery) |
attackevals.mitre.org/cb-4.a.1-1.png.html | Telemetry from process tree showing net.exe with command-line arguments |
attackevals.mitre.org/ct-4.a.1-1.png.html | Enrichment of net.exe with condition Net Group Reconnaissance Command, (tainted by the parent \"Powershell Execution Policy ByPa... |
attackevals.mitre.org/cs-4.a.1-3.png.html | OverWatch General Behavior alert for net group |
attackevals.mitre.org/cs-4.a.1-2.png.html | Additional process tree view showing net.exe enrichment |
attackevals.mitre.org/cs-4.a.1-1.png.html | Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) |
attackevals.mitre.org/cr-4.a.1-101.png.html | Telemetry showing net.exe executing with command-line arguments |
attackevals.mitre.org/cr-4.a.1-100.png.html | General Behavior alert for net.exe executing as part of a suspicious execution chain |
attackevals.mitre.org/cr-4.a.1-10.png.html | Process tree showing alerted net.exe executing (tainted by a parent Injected Shellcode alert) |
attackevals.mitre.org/eg-04-2.png.html | Enriched event tree showing enrichment of netstat with correct ATT&CK Technique (T1049 - System Network Connections Discovery) a... |
attackevals.mitre.org/fe-4.a.1-2.png.html | Excerpt from the Managed Defense Report with additional details about net group |
attackevals.mitre.org/fe-4.a.1-1.png.html | Telemetry showing the user Debbie executing net.exe with command-line arguments during Step 4 |
attackevals.mitre.org/ms-4.a.1-1.png.html | Telemetry showing execution sequence for net.exe with command-line arguments |
attackevals.mitre.org/s1-4.a.1-1.png.html | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) |
attackevals.mitre.org/cb-4.a.2-1.png.html | Telemetry from process tree showing net.exe with command-line arguments |
attackevals.mitre.org/cb-4.a.2-2.png.html | Enrichment of net.exe with related ATT&CK technique (Account Discovery) |
attackevals.mitre.org/ct-4.a.2-1.png.html | Enrichment of net.exe with condition Net Group Reconnaissance Command, (tainted by the parent \"Powershell Execution Policy ByPa... |
attackevals.mitre.org/cs-4.a.2-1.png.html | Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) |
attackevals.mitre.org/cs-4.a.2-2.png.html | Additional process tree view showing net.exe enrichment |
attackevals.mitre.org/cs-4.a.2-3.png.html | OverWatch General Behavior alert for net group |
attackevals.mitre.org/cr-4.a.2-10.png.html | Process tree showing alerted net.exe executing (tainted by a parent Injected Shellcode alert) |
attackevals.mitre.org/cr-4.a.2-100.png.html | General Behavior alert for net.exe executing as part of a suspicious execution chain |
attackevals.mitre.org/fe-4.a.2-2.png.html | Excerpt from the Managed Defense Report with additional details about net group |
attackevals.mitre.org/fe-4.a.2-1.png.html | Enrichment of net.exe with Net Group Command Execution alert (tagged with related ATT&CK Technique, T1069 - Permission Groups Di... |
attackevals.mitre.org/ms-4.a.2-1.png.html | Telemetry showing execution sequence for net.exe with command-line arguments |
attackevals.mitre.org/s1-4.a.1-3.png.html | Event tree showing net.exe (tainted by launch from process lineage previously identified as malicious) |
attack.mitre.org/techniques/T1071/ | T1071 |
attackevals.mitre.org/cb-6.b.1-2.png.html | Telemetry showing network connection over port 80 to 192.168.0.4 (C2 server) |
attackevals.mitre.org/cb-6.b.1-8.png.html | Telemetry showing modloads showing winhttp.dll loaded |
attackevals.mitre.org/ct-6.b.1-2.png.html | Telemetry showing outbound C2 traffic over HTTP to www.freegoogleadsense.info (C2 domain) |
attackevals.mitre.org/cr-6.b.1-30.png.html | Enrichment of rundll32.exe making an unusual network connection over the \"HTTP Port\" with the correct ATT&CK Tactic (Command a... |
attackevals.mitre.org/cr-6.b.1-100.png.html | Enrichment of rundll32.exe showing connection over port 80 and the amount of transmitted/received bytes (tainted by a parent Inj... |
attackevals.mitre.org/cr-6.b.1-101.png.html | Enrichment of rundll32.exe showing winhttp.dll module loaded (tainted by a parent Injected Shellcode alert) |
attackevals.mitre.org/fe-6.b.1-4.png.html | Excerpt from the Managed Defense Report identifying C2 traffic communicating over TCP port 80 to www.freegoogleadsenseinfo.com (... |
attackevals.mitre.org/fe-6.b.1-3.png.html | Telemetry showing HTTP GET requests to 192.168.0.4 (C2 server) |
attackevals.mitre.org/ct-1.c.1-1.png.html | Telemetry showing DNS queries to freegoogleadsenseinfo.com (C2 domain) from svchost.exe |
attackevals.mitre.org/cs-e-4.png.html | Email excerpt from OverWatch team indicating they observed a scheduled task establishing persistence (Specific Behavior) |
attackevals.mitre.org/cs-1.c.1-1.png.html | OverWatch alert showing suspicious DNS traffic (does not count as a detection) |
attackevals.mitre.org/cs-1.c.1-2.png.html | Telemetry within an alert showing abnormally large DNS requests occurred (tainted by parent Exfiltration alert) |
attackevals.mitre.org/cr-1.c.1-20.png.html | Telemetry showing rundll32.exe making encoded DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected S... |
attackevals.mitre.org/cr-1.c.1-100.png.html | Process tree showing rundll32.exe making encoded DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injecte... |
attackevals.mitre.org/eg-01-6.png.html | Telemetry showing DNS connections |
attackevals.mitre.org/eg-01-5.png.html | Telemetry showing DNS requests from rundll32.exe (tainted by parent Malicious File Detection alert) |
attackevals.mitre.org/fe-1.c.1-2.png.html | Telemetry showing encoded DNS requests (tainted by parent Cobalt Strike DNS Beacon alert) |
attackevals.mitre.org/fe-1.c.1-5.png.html | Excerpt from the Managed Defense Report indicating command and control occurred via DNS (Specific Behavior) |
attackevals.mitre.org/ms-1.c.1-1.png.html | Telemetry showing DNS requests to the C2 domain (custom query) (does not count as a detection) |
attackevals.mitre.org/s1-1.c.1-1.png.html | Telemetry showing DNS query to C2 domain (tainted by relationship to threat story shown in Group ID) |
attackevals.mitre.org/ct-14.a.1-2.png.html | Telemetry showing port 8080 HTTP GET request to C2 domain for file wdbypass (tainted by the parent \"Powershell executed encoded... |
attackevals.mitre.org/cs-14.a.1-7.png.html | Decoded PowerShell (outside of capability) showing download request over HTTP (does not count as a detection) |
attackevals.mitre.org/cs-14.a.1-6.png.html | Telemetry showing encoded PowerShell command that decodes to show HTTP traffic (does not count as a detection) |
attackevals.mitre.org/cr-14.a.1-40.png.html | Specific Behavior alert showing decoded PowerShell with download request of wdbypass over HTTP port 8080 |
attackevals.mitre.org/cr-14.a.1-30.png.html | Specific Behavior alert for powershell.exe mapped to the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Use... |
attackevals.mitre.org/eg-14-1.png.html | Telemetry showing decoded PowerShell with download request of wdbypass over port 8080 |
attackevals.mitre.org/fe-14.a.1-4.png.html | Telemetry showing TCP port 8080 connection to freegoogleadsenseinfo.com (C2 domain) (tainted by parent PowerShell URL Request al... |
attackevals.mitre.org/ms-14.a.1-4.png.html | Telemetry showing decoded PowerShell script with download HTTP request of wdbypass over port 8080 and tainted relationship to al... |
attackevals.mitre.org/rsa-14-1.png.html | Telemetry of decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of cap... |
attackevals.mitre.org/ms-11.b.1-2.png.html | Alert for C2 domain indicator of compromise |
attack.mitre.org/techniques/T1135/ | T1135 |
attackevals.mitre.org/eg-12-e-07.png.html | Interactive Shell events showing the WinEnum script and the Mapped Network Drives function (does not count as a detection due to... |
attack.mitre.org/techniques/T1132/ | T1132 |
attackevals.mitre.org/s1-1.c.1-2.png.html | Telemetry showing stream of DNS requests with encoded data |
attack.mitre.org/techniques/T1076/ | T1076 |
attackevals.mitre.org/ct-20.a.1-1.png.html | Telemetry showing connection to Creeper (10.0.0.4) on port 3389 |
attackevals.mitre.org/cs-20.a.1-3.png.html | Telemetry showing logon type 10 (remote interactive logon) for Kmitnick on Creeper |
attackevals.mitre.org/cr-20.a.1-20.png.html | Telemetry of connection to port 3389 on Creeper (10.0.0.4) |
attackevals.mitre.org/cr-20.a.1-21.png.html | Enrichment of RDP connection to Creeper (10.0.0.4) identified as using RDP Port and related ATT&CK Tactic (Command and Control) ... |
attackevals.mitre.org/eg-20-3.png.html | Telemetry showing connection to Creeper (10.0.0.4) on port 3389 |
attackevals.mitre.org/fe-20.a.1-1.png.html | Enrichment of TCP port 3389 connection with RDP Network Connection alert (tagged with correct ATT&CK Technique T10176 - Remote D... |
attackevals.mitre.org/fe-20.a.1-2.png.html | Excerpt from the Managed Defense Report indicating the attacker replaced the magnifier.exe accessibility feature to launch a pri... |
attackevals.mitre.org/ms-20.a.1-2.png.html | Telemetry showing svchost.exe starting terminal service session on Creeper from CodeRed (10.0.1.5) |
attackevals.mitre.org/ms-20.a.1-3.png.html | Telemetry showing Kmitnick RDP logon from CodeRed to Creeper |
attackevals.mitre.org/cb-6.c.1-3.png.html | Telemetry showing rdpclip.exe running |
attackevals.mitre.org/cb-6.b.1-1.png.html | Telemetry showing network connection over TCP port 3389 to 10.0.0.5 (Conficker) |
attackevals.mitre.org/cb-6.c.1-1.png.html | Enrichment of rdpclip.exe events with correct ATT&CK Technique (Remote Desktop Protocol) |
attackevals.mitre.org/ct-6.c.1-1.png.html | Enrichment of outbound TCP port 3389 (RDP) connection with Lateral Movement and Remote Share Access (tainted by parent \"Windows... |
attackevals.mitre.org/ct-6.c.1-2.png.html | Telemetry showing inbound TCP port 3389 connection to 10.0.0.5 (Conficker) |
attackevals.mitre.org/cs-6.c.1-3.png.html | Telemetry showing logon type 10 (interactive remote login) as user George@shockwave on 10.0.0.5 (Conficker) |
attackevals.mitre.org/cs-6.c.1-5.png.html | Telemetry showing a network connection to 10.0.0.5 (Conficker) over TCP port 3389 |
attackevals.mitre.org/cs-e-1.png.html | Email excerpt from the OverWatch team indicating suspicious communications over 3389 (RDP) were observed (General Behavior) |
attackevals.mitre.org/cr-6.b.1-20.png.html | Telemetry showing rundll32.exe opening a connection over port 80 (tainted by a parent Injected Shellcode alert, listed as Owner ... |
attackevals.mitre.org/cr-6.c.1-10.png.html | Telemetry showing cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) with Remote Interactive... |
attackevals.mitre.org/cr-6.c.1-11.png.html | Telemetry showing rdpclip.exe executing on 10.0.0.5 (Conficker) |
attackevals.mitre.org/eg-06-3.png.html | Telemetry showing Type 10 (interactive remote) login event by user George on Conficker |
attackevals.mitre.org/fe-6.c.1-1.png.html | Enrichment of RDP connection from rundll32.exe with RDP Network Connection alert (tagged with correct ATT&CK Technique, T1076 - ... |
attackevals.mitre.org/ms-6.c.1-4.png.html | Graph showing movement from Debbie account to George |
attackevals.mitre.org/ms-6.c.1-1.png.html | Telemetry showing execution sequence for cmd.exe connection over RDP to 10.0.0.5 (Conficker) |
attackevals.mitre.org/ms-6.c.1-3.png.html | Telemetry showing user logon activity on 10.0.0.5 (Conficker) showing George with a logon type 10 RemoteInteractive logon event |
attackevals.mitre.org/ms-6.c.1-2.png.html | Telemetry showing execution sequence on 10.0.0.5 (Conficker) showing George logon |
attackevals.mitre.org/rsa-06-3.png.html | Telemetry showing cmd.exe connecting over port 3389 (RDP) to 10.0.0.5 (Conficker) |
attackevals.mitre.org/s1-6.c.1-1.png.html | Telemetry showing port 3389 connection (tainted by relationship to threat story shown in Group ID) |
attackevals.mitre.org/cb-10.b.1-2.png.html | Enrichment of rdpclip.exe with correct ATT&CK Technique (Remote Desktop Protocol) |
attackevals.mitre.org/cb-10.b.1-1.png.html | Telemetry from process tree showing rdpclip.exe running as user Jesse |
attackevals.mitre.org/ct-10.b.1-2.png.html | Enrichment of TCP port 3389 (RDP) connection to 10.0.0.5 (Conficker) with conditions Lateral Movement and Remote Share Access (t... |
attackevals.mitre.org/cs-10.b.1-1.png.html | Telemetry showing user logon by Jesse to Conficker |
attackevals.mitre.org/cs-10.b.1-2.png.html | Telemetry showing logged-on user activity, including the use of rdpclip.exe |
attackevals.mitre.org/cr-10.b.1-100.png.html | Telemetry showing rundll32.exe process used to proxy connection over port 3389 from Nimda (10.0.1.6) to Conficker (10.0.0.5) (ta... |
attackevals.mitre.org/cr-10.b.1-10.png.html | Telemetry of logon session for Jesse from Nimda (10.0.1.6) to Conficker (10.0.0.5) with Remote Interactive Logon Type |
attackevals.mitre.org/cr-10.b.1-20.png.html | Telemetry showing a TCP port 3389 connection to Conficker (10.0.0.5) |
attackevals.mitre.org/eg-10-7.png.html | Telemetry showing remote connections over port 3389 to 10.0.0.5 (Conficker) |
attackevals.mitre.org/eg-10-6.png.html | Telemetry showing Type 10 (interactive) logon for Jesse |
attackevals.mitre.org/fe-10.b.1-4.png.html | Telemetry showing Logon Type 10 (interactive) event for Jesse logging on to Conficker |
attackevals.mitre.org/fe-10.b.1-3.png.html | Excerpt from Managed Defense Report indicating account Jesse was used to logon to Conficker as part of Lateral Movement (Specifi... |
attackevals.mitre.org/fe-10.b.1-1.png.html | Enrichment of port 3389 connection with RDP Network Connection alert (tagged with correct ATT&CK Technique, T1076 - Remote Deskt... |
attackevals.mitre.org/ms-10.b.1-2.png.html | Telemetry showing successful port 3389 connection to Conficker (10.0.0.5) |
attackevals.mitre.org/s1-10.b.1-2.png.html | Threat group identified as malicious, including rundll32.exe (PID 184) proxying the port 3389 connection (port 3389 connection n... |
attackevals.mitre.org/s1-10.b.1-1.png.html | Telemetry showing connection over port 3389 to 10.0.0.5 (Conficker) |
attack.mitre.org/techniques/T1053/ | T1053 |
attackevals.mitre.org/cb-10.a.2-2.png.html | Telemetry from process tree showing updater.dll executed by rundll32.exe |
attackevals.mitre.org/cb-10.a.2-1.png.html | Telemetry from process tree showing svchost.exe parent of rundll32.exe process running with \"-k netsvcs -p -s Schedule\" argume... |
attackevals.mitre.org/ct-10.a.2-1.png.html | Telemetry showing svchost.exe executing rundll32.exe (tainted by parent \"Sponsor process started V2\" alert) |
attackevals.mitre.org/cs-10.a.2-2.png.html | Telemetry showing rundll32.exe executing updater.dll (tainted by the parent OverWatch alert) |
attackevals.mitre.org/cr-10.a.2-100.png.html | Telemetry showing rundll32.exe executing update.dat (tainted by a parent Injected Shellcode alert) |
attackevals.mitre.org/cr-10.a.1-20.png.html | Parent alert for Injected shellcode into rundll32.exe |
attackevals.mitre.org/eg-10-1.png.html | Telemetry showing rundll32.exe executing updater.dll (tainted by Malicious File Detection alert) |
attackevals.mitre.org/eg-10-2.png.html | Telemetry showing rundll32.exe executing updater.dll (tainted by Process Injection alert) |
attackevals.mitre.org/fe-10.a.2-3.png.html | Excerpt from Managed Defense Report indicating the Resume Viewer Update Checker scheduled task executed updater.dll with rundll3... |
attackevals.mitre.org/fe-10.a.2-2.png.html | Parent Rundll32 Execution alert that tainted updater.dll telemetry (tagged with related ATT&CK Technique, T1085 - Rundll32, and ... |
attackevals.mitre.org/fe-10.a.2-1.png.html | Telemetry showing rundll32.exe executing updater.dll |
attackevals.mitre.org/ms-10.a.2-1.png.html | Telemetry showing execution sequence for svchost.exe parent of rundll32.exe process running with \"-k netsvcs -p -s Schedule\" a... |
attackevals.mitre.org/rsa-10-2.png.html | Telemetry showing rundll32.exe executing updater.dll |
attackevals.mitre.org/s1-10.a.2-2.png.html | Telemetry showing rundll32.exe executing updater.dll |
attackevals.mitre.org/s1-10.a.1-3.png.html | Group ID query showing both autoupdate.bat and updater.dll persistence execution |
attackevals.mitre.org/cb-7.c.1-2.png.html | Specific Behavior alert mapped to correct ATT&CK Technique (T1053 - Scheduled Task) |
attackevals.mitre.org/cb-7.c.1-1.png.html | Telemetry showing process tree containing schtasks.exe and full command a task creation |
attackevals.mitre.org/ct-7.c.1-1.png.html | Specific Behavior alert on \"Schtasks with create command\" for schtasks.exe run from cmd.exe |
attackevals.mitre.org/cs-7.c.1-2.png.html | Telemetry showing creation of the scheduled task |
attackevals.mitre.org/cs-7.c.1-3.png.html | General Behavior alert from OverWatch indicating scheduled task creation was suspicious (tainted by previous cmd.exe detection b... |
attackevals.mitre.org/cr-7.c.1-11.png.html | Telemetry showing the Resume Viewer Update Checker scheduled task |
attackevals.mitre.org/cr-7.c.1-10.png.html | Enrichment of schtasks.exe with the correct ATT&CK Tactic (Persistence) |
attackevals.mitre.org/eg-07-4.png.html | Specific Behavior alert for scheduled task creation mapped to correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Pers... |
attackevals.mitre.org/eg-07-3.png.html | Enriched event tree showing enrichment of scheduled task with correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Pers... |
attackevals.mitre.org/eg-07-2.png.html | Enrichment of scheduled task from persistence hunt |
attackevals.mitre.org/fe-7.c.1-3.png.html | Excerpt from the Managed Defense Report identifying a directory listing of Debbie's profile directory (Specific Behavior) |
attackevals.mitre.org/fe-7.c.1-2.png.html | Excerpt from the Managed Defense Report with additional details about schtask |
attackevals.mitre.org/fe-7.c.1-1.png.html | Enrichment of schtasks.exe with Scheduled Task Activity alert (tagged with correct ATT&CK Technique, T1053 - Scheduled Task, and... |
attackevals.mitre.org/ms-7.c.1-1.png.html | Telemetry showing schtasks.exe with command-line arguments scheduling a task for persistence |
attackevals.mitre.org/ms-7.c.1-2.png.html | Alert for low-reputation DLL persisting through rundll32.exe as a scheduled task |
attackevals.mitre.org/rsa-07-2.png.html | Telemetry showing the schtask.exe and command-line arguments |
attackevals.mitre.org/s1-7.c.1-1.png.html | Telemetry showing schtask.exe and associated command-line arguments (tainted by relationship to threat story) |
attack.mitre.org/techniques/T1074/ | T1074 |
attackevals.mitre.org/cb-18.b.1-2.png.html | Specific Behavior alert on the file write of the .vsdx file in the Recycle Bin (showing red severity score, mapped to correct AT... |
attackevals.mitre.org/cb-18.b.1-1.png.html | Telemetry showing creation of the .vsdx file in the Recycle Bin |
attackevals.mitre.org/cs-18.b.1-1.png.html | Telemetry showing the .vsdx being written into the Recycle Bin (event_SimpleName of OoxmlFileWritten) |
attackevals.mitre.org/cr-18.b.1-10.png.html | Telemetry of file create/write of vsdx (tainted by a parent PowerShell alert, listed as Owner process) |
attackevals.mitre.org/eg-18-1.png.html | Telemetry showing the file creation of the .vsdx file in the Recycle Bin |
attackevals.mitre.org/eg-18-2.png.html | Event tree showing creation of the .vsdx file (tainted by parent alerts on powershell.exe) |
attackevals.mitre.org/fe-18.b.1-3.png.html | Specific Behavior alert for File Write to Root of Recycle Bin |
attackevals.mitre.org/fe-18.b.1-2.png.html | Additional telemetry showing file write of .vsdx with PowerShell File Write alert |
attackevals.mitre.org/fe-18.b.1-1.png.html | Telemetry showing powershell.exe file write of .vsdx to the Recycle Bin with PowerShell File Write alert |
attack.mitre.org/techniques/T1010/ | T1010 |
attackevals.mitre.org/cs-15.a.1-2.png.html | Telemetry showing decoded PowerShell script containing the function Get-Keystrokes |
attack.mitre.org/techniques/T1078/ | T1078 |
attackevals.mitre.org/cb-16.b.1-1.png.html | Telemetry showing process tree with five different net.exe logon attempts targeting ADMIN$ |
attackevals.mitre.org/cb-16.b.1-2.png.html | Specific Behavior alerts for removing connected network share |
attackevals.mitre.org/ct-16.b.1-2.png.html | Telemetry showing explorer.exe writing \\\\conficker\\PIPE\\srvsvc (tainted by the parent \"FileExts Registry Key modified\" ale... |
attackevals.mitre.org/ct-16.b.1-1.png.html | Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with the account Kmitnick (tainted by the parent \"Pow... |
attackevals.mitre.org/cs-16.b.1-2.png.html | OverWatch General Behavior alert indicating successful net use connection to ADMIN$ was suspicious (would be tainted by previous... |
attackevals.mitre.org/cs-16.b.1-1.png.html | Telemetry from process tree showing successful net use connection to ADMIN$ (tainted by previous powershell.exe detection by red... |
attackevals.mitre.org/cr-16.b.1-20.png.html | Specific Behavior alert of net.exe execution with correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) ... |
attackevals.mitre.org/eg-16-7.png.html | Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Later... |
attackevals.mitre.org/eg-16-3.png.html | Specific Behavior alert for Mounting Hidden Shares for the successful net.exe connection attempt (tainted by parent PowerShell a... |
attackevals.mitre.org/fe-16.b.1-1.png.html | Enrichment of net.exe logon attempt to ADMIN$ with Net Use Command Execution alert (tagged with the correct ATT&CK Technique, 10... |
attackevals.mitre.org/fe-16.b.1-2.png.html | Telemetry showing successful logon of user Kmitnick |
attackevals.mitre.org/ms-16.b.1-3.png.html | Telemetry showing 10.0.1.5 (CodeRed) system accessed resources on 10.0.0.5 (Conficker) |
attackevals.mitre.org/ms-16.b.1-1.png.html | Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with user Kmitnick (tainted by parent alert on PowerSh... |
attackevals.mitre.org/ms-16.b.1-2.png.html | Telemetry showing user Kmitnick login activity on 10.0.0.5 (Conficker) |
attackevals.mitre.org/ms-16.a.1-6.png.html | Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert w... |
attackevals.mitre.org/rsa-16-2.png.html | Telemetry showing logon attempt targeting ADMIN$ via net.exe and command-line arguments |
attackevals.mitre.org/s1-16.b.1-1.png.html | Telemetry showing a net.exe logon attempt targeting ADMIN$ (tainted by relationship to threat story) |
attackevals.mitre.org/s1-16.a.1-2.png.html | Telemetry showing net.exe logon attempts targeting ADMIN$ and corresponding exit codes |
attackevals.mitre.org/ct-10.b.1-1.png.html | Telemetry showing explorer.exe running as Jesse |
attackevals.mitre.org/eg-10-3.png.html | Telemetry showing userinit.exe running as Jesse (tainted by parent \"Start Folder Persistence\" alert) |
attackevals.mitre.org/fe-10.b.1-2.png.html | Telemetry showing Logon Type 10 (interactive) event for Jesse logging on to Conficker |
attackevals.mitre.org/ms-10.b.1-1.png.html | Telemetry showing local user account Jesse first and last seen logons on Conficker |
attackevals.mitre.org/rsa-10-3.png.html | Telemetry showing \"unregmp2.exe /FirstLogon\" (associated with user logon) |
attackevals.mitre.org/rsa-10-4.png.html | Telemetry showing user name \"Jesse J\" within Machine Properties |
attackevals.mitre.org/s1-10.b.1-3.png.html | Telemetry showing last logged on user identified as Jesse |
attackevals.mitre.org/cb-16.d.1-1.png.html | Telemetry showing process tree with successful net.exe logon targeting C$ |
attackevals.mitre.org/ct-16.d.1-1.png.html | Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by ... |
attackevals.mitre.org/cs-16.d.1-2.png.html | Telemetry showing process tree containing successful net use connection to C$ (tainted by previous powershell.exe detection by r... |
attackevals.mitre.org/cr-16.d.1-10.png.html | Process tree showing alert net.exe execution (tainted by a parent PowerShell alert) |
attackevals.mitre.org/eg-16-6.png.html | Specific Behavior alert for Mounting Hidden Shares for the successful net.exe connection attempt tagged with correct ATT&CK Tec... |
attackevals.mitre.org/fe-16.d.1-2.png.html | Excerpt from the Managed Defense Report indicating the attacker mounting the C$ on creeper with the kmitnick account (Specific B... |
attackevals.mitre.org/fe-16.d.1-1.png.html | Enrichment of net1.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique, T1077 - Windows Admin Shares,... |
attackevals.mitre.org/ms-16.d.1-2.png.html | Telemetry from query showing successful Kmitnick logon event for Creeper |
attackevals.mitre.org/ms-16.d.1-1.png.html | Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by ... |
attackevals.mitre.org/rsa-16-4.png.html | Telemetry showing logon attempt targeting C$ via net.exe and command-line arguments |
attackevals.mitre.org/s1-16.d.1-1.png.html | Telemetry showing a net.exe logon attempt targeting C$ (tainted by relationship to threat story) |
attack.mitre.org/techniques/T1110/ | T1110 |
attackevals.mitre.org/cs-e-10.png.html | Excerpt from email sent by OverWatch team indicating they observed autoupdate.vbs written (General Behavior) |
attackevals.mitre.org/eg-16-4.png.html | Telemetry showing event tree with all 5 net commands associated with brute force failures and eventual success (tainted by paren... |
attackevals.mitre.org/ms-16.a.1-1.png.html | Specific Behavior alert for brute force attempt to remote SMB shares |
attackevals.mitre.org/cb-16.a.1-1.png.html | Telemetry showing process tree with four different net.exe logon attempts targeting ADMIN$ |
attackevals.mitre.org/ct-16.a.1-1.png.html | Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (enriched with condition \"Net User R... |
attackevals.mitre.org/ct-16.a.1-2.png.html | Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (enriched with condition \"Net User Re... |
attackevals.mitre.org/ct-16.a.1-3.png.html | Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Bob (enriched with condition \"Net User Reconna... |
attackevals.mitre.org/ct-16.a.1-4.png.html | Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Frieda (enriched with condition \"Net User Reco... |
attackevals.mitre.org/cs-16.a.1-1.png.html | Telemetry showing net use logon attempts to ADMIN$ shares |
attackevals.mitre.org/cs-16.a.1-3.png.html | Telemetry showing details for the logon attempt into the 10.0.1.4 (Morris) showing UserLogonFlags_decimal is equal to 6 (attempt... |
attackevals.mitre.org/cs-16.a.1-2.png.html | Process tree view of OverWatch General Behavior alerts indicating net.exe commands were suspicious (net.exe command details not ... |
attackevals.mitre.org/cs-16.a.1-4.png.html | Telemetry showing details for the logon attempt into the 10.0.1.6 (Nimda) showing UserLogonFlags_decimal is equal to 6 (attempt ... |
attackevals.mitre.org/cr-16.a.1-20.png.html | Enrichment of net.exe execution showing logon attempts for the user Bob with related ATT&CK Technique (Windows Admin Shares) and... |
attackevals.mitre.org/cr-16.a.1-2.png.html | Enrichment of net.exe execution showing logon attempts for the user Frieda with related ATT&CK Technique (Windows Admin Shares) ... |
attackevals.mitre.org/cr-16.a.1-3.png.html | Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares... |
attackevals.mitre.org/cr-16.a.1-1.png.html | Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares... |
attackevals.mitre.org/cr-16.a.1-10.png.html | Enrichment of net.exe execution with related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a... |
attackevals.mitre.org/eg-16-2.png.html | Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Later... |
attackevals.mitre.org/eg-16-1.png.html | Specific Behavior alert for Mounting Hidden Shares, associated with each net.exe connection attempt (tainted by parent PowerShel... |
attackevals.mitre.org/fe-16.a.1-2.png.html | Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, a... |
attackevals.mitre.org/fe-16.a.1-3.png.html | Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, a... |
attackevals.mitre.org/fe-16.a.1-1.png.html | Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, a... |
attackevals.mitre.org/fe-16.a.1-6.png.html | Excerpt from the Managed Defense Report indicating the attacker attempted to access systems using four accounts (General Behavio... |
attackevals.mitre.org/fe-16.a.1-4.png.html | Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, a... |
attackevals.mitre.org/fe-16.a.1-5.png.html | Telemetry showing failed logon attempt for Kmitnick |
attackevals.mitre.org/ms-16.a.1-3.png.html | Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (tainted by parent alert on PowerShell ... |
attackevals.mitre.org/ms-16.a.1-2.png.html | Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (tainted by parent alert on PowerShell... |
attackevals.mitre.org/ms-16.a.1-5.png.html | System access history from CodeRed to Nimda and Morris |
attackevals.mitre.org/ms-16.a.1-4.png.html | Execution sequence showing net.exe logon failure to Morris due to WebDAV fallback authentication attempt over port 80 to the C2 ... |
attackevals.mitre.org/rsa-16-1.png.html | Telemetry showing logon attempts targeting ADMIN$ via net.exe and command-line arguments |
attackevals.mitre.org/s1-16.a.1-1.png.html | Telemetry showing net.exe logon attempts targeting ADMIN$ (tainted by relationship to threat story) |
attack.mitre.org/techniques/T1113/ | T1113 |
attackevals.mitre.org/ct-8.d.1-2.png.html | DDNA JSON output showing the process had the capability to capture screen shots (does not count as a detection; DDNA scan was ma... |
attackevals.mitre.org/cr-8.d.1-11.png.html | Alert for explorer.exe loading a Meterpreter agent (does not count as detection) |
attackevals.mitre.org/cr-8.d.1-10.png.html | Alert showing loaded screenshotx64.dll module (does not count as a detection) |
attackevals.mitre.org/eg-08-5.png.html | Strings output extracted from Process Injection alert, showing BitBlt and CreateCompatibleBitmap that could be associated with s... |
attackevals.mitre.org/ms-8.d.1-1.png.html | Enrichment of explorer.exe with ScreenshotTaken |
attack.mitre.org/techniques/T1136/ | T1136 |
attackevals.mitre.org/cb-7.a.1-2.png.html | Telemetry showing Registry modifications for new user Jesse |
attackevals.mitre.org/cb-7.a.1-4.png.html | Enrichment of lsass.exe with tag \"Create Accounts using GUI\" |
attackevals.mitre.org/ct-7.a.1-2.png.html | Child event of Specific Behavior alert showing new account added to local admins group |
attackevals.mitre.org/ct-7.a.1-1.png.html | Specific Behavior alert for \"New user account created\" and event showing account name was Jesse |
attackevals.mitre.org/cs-7.a.1-1.png.html | Telemetry showing creation of the user Jesse with the user RID 000003E8 |
attackevals.mitre.org/cs-7.a.1-2.png.html | Telemetry showing user RID 000003E8 (corresponding to the user Jesse) added to the admin group (00000220), a well-known security... |
attackevals.mitre.org/cs-7.a.1-3.png.html | Telemetry showing group membership of the user Jesse, including Remote (0000022B), Admins (00000220), and Users (00000221), whic... |
attackevals.mitre.org/cr-7.a.1-20.png.html | Telemetry showing lsass.exe creating a Registry key for user Jesse |
attackevals.mitre.org/fe-7.a.1-4.png.html | Excerpt from the Managed Defense Report showing the creation of the user Jesse (Specific Behavior) |
attackevals.mitre.org/fe-7.a.1-1.png.html | Telemetry showing creation of user Jesse |
attackevals.mitre.org/ms-7.a.1-1.png.html | Telemetry showing creation of user account Jesse |
attackevals.mitre.org/s1-7.a.1-1.png.html | Telemetry showing creation of user account Jesse |
attack.mitre.org/techniques/T1082/ | T1082 |
attackevals.mitre.org/cb-2.e.2-2.png.html | Enrichment of net.exe with correct ATT&CK Technique (System Information Discovery) |
attackevals.mitre.org/cb-2.e.2-1.png.html | Telemetry from process tree showing net.exe with command-line arguments |
attackevals.mitre.org/ct-2.e.2-1.png.html | Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cr-2.e.2-10.png.html | Telemetry showing cmd.exe executing net executing with command-line arguments |
attackevals.mitre.org/cr-2.e.2-12.png.html | Enrichment of net.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) (tainted... |
attackevals.mitre.org/eg-02-9.png.html | Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection) |
attackevals.mitre.org/fe-2.e.2-1.png.html | Enrichment of net.exe with Net Config Command Execution alert (tagged with correct ATT&CK Technique, T1082 - System Information ... |
attackevals.mitre.org/fe-2.e.2-2.png.html | Excerpt from the Managed Defense Report with additional details about net |
attackevals.mitre.org/ms-2.e.2-1.png.html | Telemetry showing execution sequence for net.exe with command-line arguments |
attackevals.mitre.org/ms-2.e.2-2.png.html | Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing net.e... |
attackevals.mitre.org/rsa-02-3.png.html | Telemetry showing net.exe with command-line arguments |
attackevals.mitre.org/s1-2.a.1-9.png.html | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) |
attackevals.mitre.org/cb-2.e.1-1.png.html | Telemetry from process tree showing systeminfo.exe |
attackevals.mitre.org/cb-2.e.1-2.png.html | Enrichment of systeminfo.exe with correct ATT&CK Technique (System Information Discovery) |
attackevals.mitre.org/ct-2.e.1-1.png.html | Telemetry showing systeminfo.exe (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cs-2.e.1-1.png.html | OverWatch General Behavior alert indicating systeminfo.exe was suspicious |
attackevals.mitre.org/cr-2.e.1-11.png.html | Enrichment of systeminfo.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) (... |
attackevals.mitre.org/eg-02-8.png.html | Telemetry showing systeminfo.exe (tainted by parent Malicious File Detection) |
attackevals.mitre.org/fe-2.e.1-1.png.html | Enrichment of systeminfo.exe with Systeminfo Execution alert (tagged with correct ATT&CK Technique, T1082 - System Information D... |
attackevals.mitre.org/fe-2.e.1-2.png.html | Excerpt from the Managed Defense Report with additional details about systeminfo |
attackevals.mitre.org/ms-2.e.1-1.png.html | Telemetry showing execution sequence for systeminfo.exe |
attackevals.mitre.org/s1-2.a.1-8.png.html | Telemetry showing systeminfo.exe (tainted by relationship to threat story) |
attack.mitre.org/techniques/T1083/ | T1083 |
attackevals.mitre.org/ms-18.a.1-1.png.html | Query showing .vsdx PowerShell file search script that was executed |
attackevals.mitre.org/cb-8.c.1-2.png.html | Enrichment of tree.com with correct ATT&CK Technique (T1083 - File and Directory Discovery) |
attackevals.mitre.org/cb-8.a.1-1.png.html | Telemetry from process tree showing dir with command-line arguments |
attackevals.mitre.org/ct-8.a.1-1.png.html | Telemetry showing dir with command-line arguments (tainted by the parent \"Powershell process created\" alert) |
attackevals.mitre.org/cs-8.a.1-2.png.html | OverWatch General Behavior alert indicating tree.com was suspicious (tainted by previous detection by orange line indicating med... |
attackevals.mitre.org/cs-8.a.1-1.png.html | Telemetry showing cmd.exe running tree with command-line arguments (search was on commands running within the past 10 minutes) |
attackevals.mitre.org/cr-8.a.1-10.png.html | Enrichment of cmd.exe executing the dir with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery) ... |
attackevals.mitre.org/eg-08-1.png.html | Enriched event tree showing enrichment of tree with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tact... |
attackevals.mitre.org/fe-8.a.1-1.png.html | Enrichment of cmd.exe executing dir with Dir Command alert (tagged with correct ATT&CK Technique, T1083 - File and Directory Dis... |
attackevals.mitre.org/ms-8.a.1-1.png.html | Telemetry showing execution sequence of cmd.exe executing dir with command-line arguments |
attackevals.mitre.org/ms-8.a.1-2.png.html | Process tree view of rundll32.exe \"Unexpected behavior from process run with no command-line arguments\" alert that tainted tre... |
attackevals.mitre.org/rsa-08-1.png.html | Telemetry showing cmd.exe executing tree with command-line arguments |
attackevals.mitre.org/s1-8.a.1-2.png.html | Telemetry showing cmd.exe executing dir with command-line arguments (tainted by relationship to threat story) |
attackevals.mitre.org/cb-8.a.1-2.png.html | Telemetry from process tree showing tree.com with command-line arguments |
attackevals.mitre.org/ct-8.a.2-1.png.html | Telemetry showing tree with command-line arguments (tainted by the parent \"Powershell process created\" alert) |
attackevals.mitre.org/cs-8.a.2-2.png.html | Additional details for OverWatch General Behavior alert indicating tree.com was suspicious (tainted by previous detection by ora... |
attackevals.mitre.org/cr-8.a.1-20.png.html | Enrichment of cmd.exe executing the tree with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery)... |
attackevals.mitre.org/fe-8.a.1-2.png.html | Enrichment of cmd.exe executing tree with Tree Command Execution alert (tagged with correct ATT&CK Technique, T1083 - File and D... |
attackevals.mitre.org/fe-8.a.1-4.png.html | Excerpt from Managed Defense Report showing additional details about tree |
attackevals.mitre.org/ms-8.a.2-1.png.html | Telemetry showing execution sequence of cmd.exe executing tree.com with command-line arguments |
attackevals.mitre.org/s1-8.a.1-3.png.html | Telemetry showing cmd.exe executing tree with command-line arguments (tainted by relationship to threat story) |
attackevals.mitre.org/eg-12-e-04.png.html | Interactive Shell events showing the WinEnum script and the Interesting Files function (does not count as a detection due to man... |
attack.mitre.org/techniques/T1081/ | T1081 |
attackevals.mitre.org/ms-15.b.1-1.png.html | Telemetry showing "Get-Content" cmdlet (does not count as a detection) |
attack.mitre.org/techniques/T1086/ | T1086 |
attack.mitre.org/techniques/T1087/ | T1087 |
attackevals.mitre.org/cb-2.g.2-1.png.html | Telemetry from process tree showing net.exe with command-line arguments |
attackevals.mitre.org/cb-2.g.2-2.png.html | Enrichment of net.exe with correct ATT&CK Technique (Account Discovery) |
attackevals.mitre.org/ct-2.g.2-1.png.html | Enrichment of net.exe with conditions Reconnaissance Tool and Net User Reconnaissance Command (tainted by the parent Script File... |
attackevals.mitre.org/cr-2.g.2-10.png.html | Telemetry showing net executing with command-line arguments |
attackevals.mitre.org/cr-2.g.1-100.png.html | Enrichment of net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery) |
attackevals.mitre.org/eg-02-14.png.html | Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection) |
attackevals.mitre.org/fe-2.g.2-1.png.html | Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, an... |
attackevals.mitre.org/ms-2.g.2-2.png.html | Telemetry showing discovery of George permissions by Debbie from Nimda at the domain controller |
attackevals.mitre.org/ms-2.g.2-3.png.html | Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line a... |
attackevals.mitre.org/ms-2.g.2-1.png.html | Telemetry showing execution sequence for net.exe with command-line arguments |
attackevals.mitre.org/s1-2.a.1-14.png.html | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) |
attackevals.mitre.org/cb-12.g.1-1.png.html | Telemetry from process tree showing net.exe with command-line arguments |
attackevals.mitre.org/cb-12.f.1-3.png.html | Enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery) |
attackevals.mitre.org/ct-12.g.1-1.png.html | Enrichment of net.exe with condition Net User Reconnaissance Command (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cs-12.g.1-1.png.html | Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red l... |
attackevals.mitre.org/cr-12.g.1-1.png.html | Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert) |
attackevals.mitre.org/cr-12.g.1-100.png.html | General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery) |
attackevals.mitre.org/eg-12-7.png.html | Telemetry showing powershell.exe execution (ID 2397532) (tainted by parent PowerShell alerts) |
attackevals.mitre.org/eg-12-6.png.html | Telemetry from event tree showing net.exe with command-line arguments (tainted by parent PowerShell alert) |
attackevals.mitre.org/fe-12.g.1-1.png.html | Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, an... |
attackevals.mitre.org/ms-12.g.1-2.png.html | Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-li... |
attackevals.mitre.org/ms-12.g.1-1.png.html | Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments |
attackevals.mitre.org/rsa-12-2.png.html | Telemetry showing net.exe with command-line arguments |
attackevals.mitre.org/s1-12.f.1-1.png.html | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) |
attackevals.mitre.org/s1-12.f.1-2.png.html | Continued threat story showing initial compromise alert and powershell.exe tainting net.exe |
attackevals.mitre.org/s1-12.f.1-3.png.html | Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter) |
attackevals.mitre.org/cb-12.g.2-1.png.html | Telemetry from process tree showing net.exe with command-line arguments |
attackevals.mitre.org/ct-12.g.2-1.png.html | Enrichment of net.exe with condition Net User Reconnaissance Command (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cs-12.g.2-1.png.html | Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red l... |
attackevals.mitre.org/cr-12.g.2-100.png.html | General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery) |
attackevals.mitre.org/fe-12.g.2-1.png.html | Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, an... |
attackevals.mitre.org/ms-12.g.2-2.png.html | Specific Behavior alert showing domain user enumeration from Bob on CodeRed against Domain Controller on Creeper |
attackevals.mitre.org/ms-12.g.2-3.png.html | Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-li... |
attackevals.mitre.org/ms-12.g.2-1.png.html | Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments |
attackevals.mitre.org/cb-7.a.1-3.png.html | Telemetry showing mmc.exe running lusrmgr.msc |
attackevals.mitre.org/ct-7.a.1-3.png.html | Telemetry showing mmc.exe process executing lusrmgr.msc (tainted by the parent \"LSA Registry Key modified\" alert) |
attackevals.mitre.org/cs-6.c.1-4.png.html | Telemetry showing mmc.exe running lursmgr.msc |
attackevals.mitre.org/cr-7.a.1-10.png.html | Telemetry showing lusrmgr.msc running from mmc.exe |
attackevals.mitre.org/eg-07-5.png.html | Telemetry showing mmc.exe running lursmgr.msc |
attackevals.mitre.org/fe-7.a.1-3.png.html | Telemetry showing mmc.exe spawning lusrmgr.exe |
attackevals.mitre.org/ms-7.a.1-2.png.html | Telemetry showing mmc.exe running lusrmgr.msc |
attackevals.mitre.org/cb-2.g.1-2.png.html | Enrichment of net.exe with correct ATT&CK Technique (Account Discovery) |
attackevals.mitre.org/cb-2.g.1-1.png.html | Telemetry from process tree showing net.exe with command-line arguments |
attackevals.mitre.org/ct-2.g.1-1.png.html | Enrichment of net.exe with condition Net User Reconnaissance Command (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cr-2.g.2-100.png.html | Enrichment of net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery) |
attackevals.mitre.org/cr-2.g.1-10.png.html | Telemetry showing net executing with command-line arguments |
attackevals.mitre.org/eg-02-13.png.html | Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection) |
attackevals.mitre.org/fe-2.g.1-2.png.html | Excerpt from the Managed Defense Report with additional details about net |
attackevals.mitre.org/fe-2.g.1-1.png.html | Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, an... |
attackevals.mitre.org/ms-2.g.1-1.png.html | Telemetry showing execution sequence for net.exe with command-line arguments |
attackevals.mitre.org/ms-2.g.1-2.png.html | Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line a... |
attackevals.mitre.org/s1-2.a.1-13.png.html | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) |
attack.mitre.org/techniques/T1085/ | T1085 |
attackevals.mitre.org/ct-1.a.1-1.png.html | Telemetry showing cmd.exe launched rundll32.exe (tainted by the Script File Created alert) |
attackevals.mitre.org/cs-1.a.1-6.png.html | Specific Behavior alert showing rundll32 execution (mapped to correct ATT&CK Technique, Rundll32, and Tactic, Defense Evasion. G... |
attackevals.mitre.org/cs-1.a.1-4.png.html | OverWatch General Behavior alert indicating rundll32 execution was suspicious |
attackevals.mitre.org/cr-1.a.1-30.png.html | Specific Behavior alert for rundll32.exe, identified as a compromised legitimate process, injecting shellcode into rundll32.exe,... |
attackevals.mitre.org/cr-1.a.1-101.png.html | Telemetry within the rundll32.exe injection alert showing command-line arguments of rundll32.exe running update.dat (tainted by ... |
attackevals.mitre.org/cr-1.a.1-200.png.html | Specific Behavior alert for rundll32.exe launching a module from a temporary folder and injecting shellcode into a victim proces... |
attackevals.mitre.org/eg-01-11.png.html | Specific Behavior alert for RunDLL32 with Suspicious DLL Location and surrounding telemetry (tagged with correct ATT&CK Techniq... |
attackevals.mitre.org/eg-01-10.png.html | Telemetry showing rundll32.exe running update.dat execution event |
attackevals.mitre.org/fe-1.a.1-6.png.html | Excerpt from the Managed Defense Report indicating rundll32.exe was used for execution (Specific Behavior) |
attackevals.mitre.org/fe-1.a.1-3.png.html | Enrichment of rundll32.exe execution (tagged with correct ATT&CK Technique, T1085 - Rundll32, and Tactics, Defense Evasion, Exec... |
attackevals.mitre.org/ms-1.a.1-10.png.html | Telemetry showing rundll32.exe process injection sequence |
attackevals.mitre.org/ms-1.a.1-13.png.html | General Behavior alert on low-reputation DLL load by signed executable |
attack.mitre.org/techniques/T1049/ | T1049 |
attackevals.mitre.org/cb-12.e.1.12-2.png.html | Telemetry from process tree showing netstat.exe with command-line arguments |
attackevals.mitre.org/cb-12.e.1.12-1.png.html | Enrichment of netstat.exe with correct ATT&CK Technique (System Network Connections Discovery) |
attackevals.mitre.org/cs-12.e.12-2.png.html | Telemetry from process tree showing netstat.exe with command-line arguments (tainted from previous powershell.exe detection by r... |
attackevals.mitre.org/cr-12.e.1.12-1.png.html | Enriched alert for netstat.exe labeled with Reconnaissance and the correct ATT&CK Technique (System Network Connections Discover... |
attackevals.mitre.org/eg-12-3.png.html | Specific Behavior alert for \"PowerShell with Unusual Arguments\" (tagged with correct ATT&CK Technique, T1086 - PowerShell, and... |
attackevals.mitre.org/fe-12.e.1.12-1.png.html | Enrichment of netstat.exe with Netstat Execution alert (tagged with correct ATT&CK Technique, T1049 - System Network Connections... |
attackevals.mitre.org/ms-12.e.1-3.png.html | Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing netstat.exe with comman... |
attackevals.mitre.org/ms-12.e.1-1.png.html | Telemetry showing powershell.exe execution sequence resulting from WinEnum |
attackevals.mitre.org/rsa-12-3.png.html | Telemetry showing a PowerShell script written to disk |
attackevals.mitre.org/s1-12.e.1-1.png.html | Telemetry showing encoded PowerShell script (tainted Group ID not shown but was the search parameter) |
attackevals.mitre.org/ct-13.b.1-1.png.html | Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cs-13.b.1-1.png.html | Telemetry from process tree showing net.exe with command-line arguments (tainted by previous powershell.exe detection by red lin... |
attackevals.mitre.org/cr-13.b.1-10.png.html | Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert) |
attackevals.mitre.org/cr-13.b.1-100.png.html | General Behavior alert for net.exe executing with the correct ATT&CK Tactic (System Network Connections Discovery) and Technique... |
attackevals.mitre.org/eg-13-1.png.html | Specific Behavior alert for Discovery via network file share enumeration (tainted by parent alert) |
attackevals.mitre.org/fe-13.b.1-1.png.html | Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1049 -System Network Connec... |
attackevals.mitre.org/ms-13.b.1-1.png.html | Telemetry showing execution of net.exe with command-line arguments |
attackevals.mitre.org/ms-13.b.1-2.png.html | Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-li... |
attackevals.mitre.org/cb-13.b.1-1.png.html | Telemetry showing process tree with netstat.exe and command-line arguments |
attackevals.mitre.org/ct-13.b.2-1.png.html | Telemetry showing netstat.exe with command-line arguments (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cs-13.b.2-1.png.html | Telemetry from process tree showing netstat.exe with command-line arguments (tainted by previous powershell.exe detection by red... |
attackevals.mitre.org/cr-13.b.2-10.png.html | Enrichment showing netstat.exe executing as Reconnaissance and the correct ATT&CK Technique (System Network Connections Discover... |
attackevals.mitre.org/fe-13.b.2-1.png.html | Enrichment of netstat.exe with Netstat Execution alert (tagged with correct ATT&CK Technique, T1049 - System Network Connections... |
attackevals.mitre.org/ms-13.b.2-2.png.html | Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing netstat.exe with comman... |
attackevals.mitre.org/ms-13.b.2-1.png.html | Telemetry showing execution of netstat.exe (tainted by parent PowerShell malicious cmdlet alert) |
attackevals.mitre.org/cb-4.c.1-1.png.html | Telemetry from process tree showing netstat.exe with command-line arguments |
attackevals.mitre.org/cb-4.c.1-2.png.html | Enrichment of netstat.exe with correct ATT&CK technique (System Network Connections Discovery) |
attackevals.mitre.org/ct-4.c.1-1.png.html | Telemetry showing netstat.exe with command-line arguments (tainted by the parent \"Powershell Execution Policy ByPass command ra... |
attackevals.mitre.org/cs-4.c.1-1.png.html | OverWatch General Behavior alert indicating netstat execution by cmd.exe was suspicious |
attackevals.mitre.org/cr-4.c.1-100.png.html | Enrichment of netstat.exe executing labeled as Reconnaissance and mapped to the correct ATT&CK Technique (System Network Connect... |
attackevals.mitre.org/cr-4.c.1-10.png.html | Telemetry showing cmd.exe executing netstat with command-line arguments |
attackevals.mitre.org/eg-04-4.png.html | Additional UI view of telemetry (showing the netstat command in this instance) |
attackevals.mitre.org/fe-4.c.1-1.png.html | Enrichment of netstat.exe with Netstat Execution alert (tagged with the correct ATT&CK Technique, T1049 - System Network Connect... |
attackevals.mitre.org/fe-4.c.1-2.png.html | Excerpt from the Managed Defense Report with additional details about netstat |
attackevals.mitre.org/ms-4.c.1-1.png.html | Telemetry showing execution sequence for netstat.exe with command-line arguments |
attack.mitre.org/techniques/T1088/ | T1088 |
attackevals.mitre.org/ct-3.a.1-2.png.html | Relationships view of alert showing svchost.exe spawning powershell.exe tree (including encoded PowerShell). Red dots indicate m... |
attackevals.mitre.org/ct-3.a.1-1.png.html | Alert for PowerShell process creation (does not count as a detection) |
attackevals.mitre.org/cs-3.a.1-1.png.html | Telemetry showing process integrity level change for Debbie from 8192 (0x2000/Medium) to 12288 (0x3000/High) |
attackevals.mitre.org/cr-3.a.1-20.png.html | Telemetry showing powershell.exe running as high integrity as user Debbie (tainted by a parent PowerShell alert) |
attackevals.mitre.org/cr-3.a.1-1.png.html | Telemetry showing powershell.exe running as medium integrity as user Debbie |
attackevals.mitre.org/eg-03-06.png.html | Telemetry showing powershell.exe spawned with token authentication id 100243447 |
attackevals.mitre.org/fe-3.a.1-3.png.html | Telemetry showing svchost.exe seclogon event for token login ID 0xfcf5fd |
attackevals.mitre.org/fe-3.a.1-4.png.html | Telemetry showing group membership of token logon ID 0xfcf5fd, which includes S-1-16-12288 (High Mandatory Level) |
attackevals.mitre.org/ms-3.a.1-2.png.html | Telemetry showing svchost.exe execution with seclogon command-line argument then subsequent powershell.exe |
attackevals.mitre.org/ms-3.a.1-1.png.html | Telemetry showing rundll32.exe running as medium integrity as user Debbie |
attackevals.mitre.org/ct-14.a.1-1.png.html | Alert for encoded PowerShell (does not count as a detection) |
attackevals.mitre.org/cs-14.a.1-4.png.html | Telemetry showing the Invoke-BypassUACTokenManipulation function |
attackevals.mitre.org/cs-14.a.1-9.png.html | Telemetry showing integrity level change through query for powershell.exe processes of high integrity (12288/0x3000) that were c... |
attackevals.mitre.org/cr-14.a.1-11.png.html | Telemetry showing powershell.exe executing with medium process integrity (tainted by a parent PowerShell alert) |
attackevals.mitre.org/cr-14.a.1-12.png.html | Telemetry showing powershell.exe executing with high process integrity (tainted by a parent PowerShell alert) |
attackevals.mitre.org/cr-14.a.1-13.png.html | Parent alert generated for malicious use of PowerShell |
attackevals.mitre.org/eg-14-2.png.html | Telemetry showing authentication (logon) ID mismatch between parent and child processes |
attackevals.mitre.org/eg-14-4.png.html | Telemetry showing svhost.exe seclogon event for token login id 0x9b6855 (10184789), used by the spawned powershell.exe |
attackevals.mitre.org/fe-14.a.1-7.png.html | Telemetry showing execution of powershell.exe running as SYSTEM with token login ID 0x10530b3 |
attackevals.mitre.org/fe-14.a.1-8.png.html | Telemetry showing group membership of token logon ID 0x10530b3 associated with user Bob, which includes S-1-16-12288 (High Manda... |
attackevals.mitre.org/ms-14.a.1-5.png.html | Parent alert for \"Suspicious sequence of exploration activities\" showing powershell.exe process tainting this event |
attackevals.mitre.org/ms-14.a.1-1.png.html | Telemetry showing medium integrity powershell.exe process executing Invoke-BypassUACTokenManipulation as user Bob |
attackevals.mitre.org/ms-14.a.1-3.png.html | Telemetry showing network connection to 192.168.0.5 (C2 server) over port 8080 |
attackevals.mitre.org/ms-14.a.1-2.png.html | Telemetry showing high integrity powershell.exe process as SYSTEM |
attackevals.mitre.org/s1-14.a.1-1.png.html | Telemetry showing process integrity level change from medium to high (tainted by relationship to threat story but Group ID not s... |
attack.mitre.org/techniques/T1057/ | T1057 |
attackevals.mitre.org/cb-2.c.2-1.png.html | Telemetry from process tree showing tasklist.exe with command-line arguments |
attackevals.mitre.org/cb-2.c.2-2.png.html | Enrichment of tasklist.exe with correct ATT&CK Technique (T1057 - Process Discovery) |
attackevals.mitre.org/ct-2.c.2-1.png.html | Telemetry showing tasklist.exe with command-line arguments (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cr-2.c.2-10.png.html | Telemetry showing cmd.exe executing tasklist with command-line arguments |
attackevals.mitre.org/eg-02-5.png.html | Telemetry showing tasklist.exe with command-line arguments (tainted by parent Malicious File Detection) |
attackevals.mitre.org/fe-2.c.2-1.png.html | Enrichment of tasklist.exe with Tasklist Execution alert (tagged with correct ATT&CK Technique, T1057 - Process Discovery, and T... |
attackevals.mitre.org/fe-2.c.2-2.png.html | Excerpt from the Managed Defense Report with additional details about tasklist |
attackevals.mitre.org/ms-2.c.2-1.png.html | Telemetry showing execution sequence for tasklist.exe with command-line arguments |
attackevals.mitre.org/s1-2.a.1-5.png.html | Telemetry showing tasklist.exe with command-line arguments (tainted by relationship to threat story) |
attackevals.mitre.org/cb-12.c.1-1.png.html | Telemetry from process tree showing qprocess.exe with command-line arguments |
attackevals.mitre.org/cb-12.c.1-2.png.html | Enrichment of qprocess.exe with correct ATT&CK Technique (Process Discovery) |
attackevals.mitre.org/ct-12.c.1-1.png.html | Telemetry showing qprocess.exe with command-line arguments (tainted by parent Script File Created alert) |
attackevals.mitre.org/cs-12.c.1-1.png.html | OverWatch General Behavior alert and telemetry indicating qprocess.exe with command-line arguments was suspicious (tainted from ... |
attackevals.mitre.org/cr-12.c.1-1.png.html | Enrichment of qprocess.exe executing with correct ATT&CK Technique (Process Discovery) and Tactic (Discovery) (tainted by a pare... |
attackevals.mitre.org/fe-12.c.1-1.png.html | Enrichment of qprocess.exe with Qprocess Execution alert (tagged with correct ATT&CK Technique, T1057 - Process Discovery, and T... |
attackevals.mitre.org/ms-12.c.1-1.png.html | Telemetry showing execution sequence of powershell.exe executing qprocess.exe with command-line arguments |
attack.mitre.org/techniques/T1022/ | T1022 |
attackevals.mitre.org/cb-19.b.1-2.png.html | Enrichment of recycler.exe with correct ATT&CK Technique (1002 - Data Compressed) |
attack.mitre.org/techniques/T1056/ | T1056 |
attackevals.mitre.org/ct-8.c.1-2.png.html | Command-Line Interface view for host Nimda kicking off DDNA Scan for PID 11252 (does not count as a detection) |
attackevals.mitre.org/ct-8.c.1-3.png.html | DDNA JSON output from PID 11252 showing process capabilities (does not count as a detection) |
attackevals.mitre.org/ct-8.c.1-1.png.html | Telemetry showing remote thread being created into explorer.exe (does not count as a detection) |
attackevals.mitre.org/cs-8.c.1-1.png.html | Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890) (does not coun... |
attackevals.mitre.org/cr-8.c.1-10.png.html | Alert for Chain of Injections for powershell.exe injecting into cmd.exe (does not count as detection) |
attackevals.mitre.org/cr-8.c.1-11.png.html | Alert showing loaded keyloggerx64.dll module (does not count as detection) |
attackevals.mitre.org/cr-8.c.1-12.png.html | Alert showing keyloggerx64.dll module loaded into explorer.exe, including memory address and size (does not count as a detection... |
attackevals.mitre.org/cr-8.c.1-100.png.html | Alert for Chain of Injections showing powershell.exe injecting into explorer.exe (does not count as detection) |
attackevals.mitre.org/eg-08-2.png.html | Event tree showing a Process Injection alert from which strings were pulled (does not count as a detection) |
attackevals.mitre.org/eg-08-4.png.html | Strings output extracted from Process Injection alert, showing key definitions typically associated with a keylogger, but no evi... |
attackevals.mitre.org/ms-8.c.1-3.png.html | Telemetry showing explorer.exe reading user keystrokes |
attackevals.mitre.org/ms-8.c.1-2.png.html | Specific Behavior alert for \"Possible keylogging activity\" against explorer.exe |
attackevals.mitre.org/ms-8.c.1-1.png.html | Execution sequence showing cmd.exe injecting into explorer.exe (does not count as a detection) |
attackevals.mitre.org/rsa-08-3.png.html | Floating Code module output showing keylogger key definitions (does not count as a detection) |
attackevals.mitre.org/rsa-08-2.png.html | Floating Code module output showing keylogger aggressor script (does not count as a detection) |
attackevals.mitre.org/s1-8.c.1-2.png.html | Telemetry showing GetAsyncKeyStateApi (Group ID tainted the event but was not shown in this view) |
attackevals.mitre.org/s1-8.c.1-1.png.html | Telemetry showing process injection into explorer.exe (does not count as a detection) |
attackevals.mitre.org/cb-15.a.1-1.png.html | Telemetry showing modloads associated with keylogger |
attackevals.mitre.org/cb-15.a.1-3.png.html | Enrichment of data with tag \"PowerShell Input Capture -keylogger\" |
attackevals.mitre.org/cs-15.b.1-1.png.html | Telemetry showing FsPostOpen event for IT_tasks.txt |
attackevals.mitre.org/cs-15.b.1-2.png.html | Telemetry showing file read event for IT_tasks.txt |
attackevals.mitre.org/cr-15.a.1-20.png.html | Indicator of Compromise alert for Malicious Command Get-Keystrokes |
attackevals.mitre.org/cr-15.a.1-100.png.html | Telemetry showing modloads associated with a keylogger |
attackevals.mitre.org/eg-15-1.png.html | Telemetry showing PowerShell Script Block logging with execution of Get-KeyStrokes (does not count as a detection) |
attackevals.mitre.org/fe-15.a.1-1.png.html | PowerShell activity during the time of the keylogging (does not count as detection) |
attackevals.mitre.org/ms-15.a.1-1.png.html | Telemetry showing execution of Get-Keystrokes cmdlet |
attackevals.mitre.org/ms-15.a.1-2.png.html | Telemetry showing keylogger events |
attackevals.mitre.org/ms-15.a.1-3.png.html | Specific Behavior alert for keylogging activity from powershell.exe |
attackevals.mitre.org/ms-15.a.1-5.png.html | Parent alert showing process tree view showing tainted relationship (specific instance of this technique not shown in the alert) |
attackevals.mitre.org/s1-15.a.1-1.png.html | Enrichment of use of GetAsyncKeyStateApi tagged as a keylogger (tainted by relationship to threat story but Group ID not shown i... |
attack.mitre.org/techniques/T1026/ | T1026 |
attackevals.mitre.org/cb-6.b.1-3.png.html | Telemetry showing network connection over UDP port 53 |
attackevals.mitre.org/ct-6.b.1-1.png.html | Telemetry showing outbound traffic to 192.168.0.4 (C2 server) over TCP port 80 (tainted by parent \"Sponsor Process Established ... |
attackevals.mitre.org/cs-6.c.1-1.png.html | Telemetry showing TCP port 80 connection to 192.168.0.4 (C2 server) |
attackevals.mitre.org/eg-06-6.png.html | Telemetry showing DNS connections |
attackevals.mitre.org/eg-06-7.png.html | Telemetry showing port 80 traffic (tainted by the parent Malicious File Detection alert) |
attackevals.mitre.org/fe-6.b.1-2.png.html | Telemetry showing DNS requests (field name dnsLookupEvents/Generated) and HTTP requests (field name urlMonitorEvents/Generated) |
attackevals.mitre.org/ms-6.b.1-1.png.html | Telemetry showing execution sequence for rundll32.exe opening network connection |
attackevals.mitre.org/ms-6.b.1-2.png.html | Incident graph from \"Unexpected process behavior\" alert (resulting from rundll32.exe) showing tainted network connection |
attackevals.mitre.org/ms-6.b.1-3.png.html | Telemetry showing DNS traffic to C2 domain |
attackevals.mitre.org/s1-6.b.1-1.png.html | Telemetry showing port 80 connection to 192.168.0.4 (C2 server) (tainted by relationship to rundll32 parent process linked by Gr... |
attack.mitre.org/techniques/T1077/ | T1077 |
attackevals.mitre.org/fe-16.b.1-3.png.html | Excerpt from the Managed Defense Report indicating the attacker unmounted the share from CodeRed (Specific Behavior) |
attackevals.mitre.org/cb-16.d.1-2.png.html | Specific Behavior alerts for a successful logon mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic... |
attackevals.mitre.org/cr-16.d.1-100.png.html | Specific Behavior alert of net.exe execution with correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) ... |
attackevals.mitre.org/cb-16.a.1-3.png.html | Specific Behavior alerts for of the 4 different net.exe logon attempts |
attack.mitre.org/techniques/T1115/ | T1115 |
attackevals.mitre.org/cs-12.e.1.5-1.png.html | OverWatch alert indicating encoded PowerShell was suspicious (does not count as a detection) |
attackevals.mitre.org/cs-12.e.1.5-3.png.html | Decoding (outside the capability) of encoded PowerShell command to show Windows.Clipboard details (does not count as a detection... |
attackevals.mitre.org/cs-12.e.1-2.png.html | Telemetry showing encoded PowerShell, which decodes to show Windows.Clipboard details (does not count as a detection) |
attackevals.mitre.org/cr-12.e.1.5-1.png.html | Telemetry of the PowerShell function to gather clipboard data (tainted by a parent PowerShell alert) |
attackevals.mitre.org/eg-12-4.png.html | Telemetry showing decoded PowerShell displaying Windows.Clipboard as part of WinEnum. The PowerShell process was tainted by pare... |
attackevals.mitre.org/fe-12.e.1.5-2.png.html | Decoding (outside the capability) of encoded PowerShell command to show Windows.Clipboard details (does not count as a detection... |
attackevals.mitre.org/fe-12.e.1.5-1.png.html | PowerShell Execution alert containing encoded PowerShell command (does not count as a detection) |
attack.mitre.org/techniques/T1050/ | T1050 |
attackevals.mitre.org/ct-16.i.1-2.png.html | Specific Behavior alert for \"\"New Windows service created\"\" and additional alert for \"Windows Service Registry Key modified... |
attackevals.mitre.org/cs-16.h.1-2.png.html | Telemetry from process tree showing sc.exe execution to create the AdobeUpdater service (tainted from previous powershell.exe de... |
attackevals.mitre.org/cr-16.i.1-13.png.html | Specific Behavior alert for unconventional new service with correct ATT&CK Technique (New Service) and Tactics (Persistence, Pri... |
attackevals.mitre.org/eg-16-13.png.html | Specific Behavior alert for new service AdobeUpdater creation on Creeper tagged with correct ATT&CK Technique (T1050 - New Servi... |
attackevals.mitre.org/ms-16.i.1-3.png.html | Specific Behavior alert on suspicious service registration on Creeper |
attackevals.mitre.org/ms-16.i.1-2.png.html | Telemetry showing AdobeUpdater service registry information that was changed on Creeper |
attack.mitre.org/techniques/T1069/ | T1069 |
attackevals.mitre.org/ct-12.e.1.2-1.png.html | Telemetry showing powershell.exe execution and connection to the domain controller 10.0.0.4 (Creeper) |
attackevals.mitre.org/fe-12.e.1.2-1.png.html | Telemetry showing loading of System.DirectoryServices.AccountManagement assembly (does not count as a detection) |
attackevals.mitre.org/cb-12.f.1-1.png.html | Telemetry from process tree showing net.exe with command-line arguments |
attackevals.mitre.org/ct-12.f.1-1.png.html | Enrichment of net.exe with conditions Net Domain Admins Reconnaissance Command and Net Group Reconnaissance Command (tainted by ... |
attackevals.mitre.org/cs-12.f.1-3.png.html | Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red l... |
attackevals.mitre.org/cs-12.f.1-1.png.html | Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) (tainted from previous po... |
attackevals.mitre.org/cr-12.f.1-1.png.html | Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert) |
attackevals.mitre.org/cr-12.f.1-100.png.html | General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discove... |
attackevals.mitre.org/eg-12-5.png.html | Enrichment on net group by Enumeration of Administrator Accounts alert (mapped to correct ATT&CK Technique, T1069 - Permission G... |
attackevals.mitre.org/fe-12.f.1-1.png.html | Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Di... |
attackevals.mitre.org/ms-12.f.1-1.png.html | Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments |
attackevals.mitre.org/ms-12.f.1-2.png.html | Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-li... |
attackevals.mitre.org/cb-12.f.2-1.png.html | Telemetry from process tree showing net.exe with command-line arguments |
attackevals.mitre.org/ct-12.f.2-1.png.html | Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the... |
attackevals.mitre.org/cs-12.f.2-1.png.html | Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red l... |
attackevals.mitre.org/cr-12.f.2-1.png.html | Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert) |
attackevals.mitre.org/cr-12.f.2-100.png.html | General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discove... |
attackevals.mitre.org/fe-12.f.2-1.png.html | Enrichment of net.exe with command-line arguments (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, an... |
attackevals.mitre.org/ms-12.f.2-2.png.html | Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-li... |
attackevals.mitre.org/ms-12.f.2-1.png.html | Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments |
attackevals.mitre.org/cb-2.f.1-3.png.html | Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery) |
attackevals.mitre.org/cb-2.f.1-2.png.html | Enrichment of net.exe with tag Administrator Enumeration |
attackevals.mitre.org/cb-2.f.1-1.png.html | Telemetry from process tree showing net.exe with command-line arguments |
attackevals.mitre.org/ct-2.f.1-1.png.html | Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the... |
attackevals.mitre.org/cs-2.f.1-3.png.html | OverWatch General Behavior alert for net localgroup |
attackevals.mitre.org/cs-2.f.1-1.png.html | Telemetry showing net with command-line arguments |
attackevals.mitre.org/cr-2.f.1-10.png.html | Telemetry showing cmd.exe executing net with command-line arguments |
attackevals.mitre.org/cr-2.f.1-100.png.html | Enrichment of net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery) |
attackevals.mitre.org/eg-02-10.png.html | Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection) |
attackevals.mitre.org/eg-02-16.png.html | Enrichment of net.exe execution with command-line arguments with Enumeration of Administrator Accounts alert (tagged with correc... |
attackevals.mitre.org/fe-2.f.1-2.png.html | Excerpt from the Managed Defense Report with additional details about net |
attackevals.mitre.org/fe-2.f.1-1.png.html | Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Di... |
attackevals.mitre.org/ms-2.f.1-1.png.html | Telemetry showing execution sequence for net.exe with command-line arguments |
attackevals.mitre.org/ms-2.f.1-2.png.html | Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line a... |
attackevals.mitre.org/s1-2.a.1-10.png.html | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) |
attackevals.mitre.org/cb-2.f.3-1.png.html | Telemetry from process tree showing net.exe with command-line arguments |
attackevals.mitre.org/cb-2.f.3-3.png.html | Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery) |
attackevals.mitre.org/cb-2.f.3-2.png.html | Enrichment of net.exe with tag Administrator Enumeration |
attackevals.mitre.org/ct-2.f.3-1.png.html | Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the... |
attackevals.mitre.org/cs-2.f.1-2.png.html | Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) (tainted by orange line f... |
attackevals.mitre.org/cr-2.f.3-100.png.html | General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discove... |
attackevals.mitre.org/cr-2.f.3-10.png.html | Telemetry showing cmd.exe executing net with command-line arguments |
attackevals.mitre.org/eg-02-12.png.html | Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection) |
attackevals.mitre.org/eg-02-17.png.html | Enrichment of net.exe execution with command-line arguments with Enumeration of Administrator Accounts alert (tagged with correc... |
attackevals.mitre.org/fe-2.f.3-1.png.html | Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Di... |
attackevals.mitre.org/fe-2.f.3-2.png.html | Excerpt from the Managed Defense Report with additional details about net |
attackevals.mitre.org/ms-2.f.3-2.png.html | Telemetry showing domain admins group discovery by Nimda at the domain controller |
attackevals.mitre.org/ms-2.f.3-3.png.html | Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line a... |
attackevals.mitre.org/ms-2.f.3-1.png.html | Telemetry showing execution sequence for net.exe with command-line arguments |
attackevals.mitre.org/rsa-02-5.png.html | Event enrichment from IIOC module \"Enumerates domain administrators\" |
attackevals.mitre.org/s1-2.a.1-12.png.html | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) |
attackevals.mitre.org/cb-2.f.2-1.png.html | Telemetry from process tree showing net.exe with command-line arguments |
attackevals.mitre.org/cb-2.f.2-2.png.html | Enrichment of net.exe with tag Administrator Enumeration |
attackevals.mitre.org/cb-2.f.2-3.png.html | Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery) |
attackevals.mitre.org/ct-2.f.2-1.png.html | Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the... |
attackevals.mitre.org/cr-2.f.2-10.png.html | Telemetry showing cmd.exe executing net with command-line arguments |
attackevals.mitre.org/cr-2.f.2-100.png.html | Enrichment of net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery) |
attackevals.mitre.org/eg-02-11.png.html | Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection) |
attackevals.mitre.org/fe-2.f.2-1.png.html | Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Di... |
attackevals.mitre.org/fe-2.f.2-2.png.html | Excerpt from the Managed Defense Report with additional details about net |
attackevals.mitre.org/ms-2.f.2-2.png.html | Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line a... |
attackevals.mitre.org/ms-2.f.2-1.png.html | Telemetry showing execution sequence for net.exe with command-line arguments |
attackevals.mitre.org/s1-2.a.1-11.png.html | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) |
attack.mitre.org/techniques/T1126/ | T1126 |
attackevals.mitre.org/cb-16.c.1-1.png.html | Telemetry showing process tree with net.exe and command-line arguments |
attackevals.mitre.org/ct-16.c.1-1.png.html | Telemetry showing net.exe and command-line arguments (tainted by the parent \"Powershell executed remote commands\" alert) |
attackevals.mitre.org/cs-16.c.1-1.png.html | Telemetry from process tree showing net.exe executing with command-line arguments (tainted by previous powershell.exe detection ... |
attackevals.mitre.org/cr-16.c.1-10.png.html | General Behavior alert for net.exe conducting suspicious activity (tainted by a parent PowerShell alert) |
attackevals.mitre.org/eg-16-5.png.html | Telemetry showing event tree containing net.exe and command-line argument (tainted by parent PowerShell alert) |
attackevals.mitre.org/fe-16.c.1-1.png.html | Telemetry showed net.exe executing with command-line arguments. |
attackevals.mitre.org/ms-16.c.1-1.png.html | Telemetry showing net.exe with command-line arguments (tainted by parent alert on PowerShell script with suspicious content) |
attackevals.mitre.org/rsa-16-3.png.html | Telemetry showing net.exe execution and command-line arguments |
attackevals.mitre.org/s1-16.c.1-1.png.html | Telemetry showing net.exe and command-line arguments (tainted by relationship to threat story) |
attack.mitre.org/techniques/T1107/ | T1107 |
attackevals.mitre.org/cb-19.d.1-1.png.html | Telemetry showing filemod (file modification) deletion of recycler.exe |
attackevals.mitre.org/ct-19.d.1-1.png.html | Telemetry showing powershell.exe deleting old.rar (tainted by the parent \"PowerShell executed encoded commands\" alert) |
attackevals.mitre.org/cs-19.d.1-1.png.html | Telemetry showing deletion of old.rar |
attackevals.mitre.org/cr-19.d.1-10.png.html | Telemetry showing a deletion event for old.rar via powershell.exe (tainted by a parent PowerShell alert, listed as Owner process... |
attackevals.mitre.org/ms-19.d.1-1.png.html | Telemetry showing PowerShell executing the Remove-Item cmdlet (does not count as a detection) |
attackevals.mitre.org/rsa-19-3.png.html | Master file table on 10.0.1.5 (CodeRed) shows old.rar listed under deleted files (does not count as a detection) |
attackevals.mitre.org/s1-19.d.1-1.png.html | Telemetry exported from threat story showing the deletion of recycler.exe was tainted by prior activity because it was under the... |
attackevals.mitre.org/ct-19.d.2-1.png.html | Telemetry showing powershell.exe deleting recycler.exe (tainted by the parent \"PowerShell executed encoded commands\" alert) |
attackevals.mitre.org/cs-19.d.1-2.png.html | Telemetry showing deletion of recycler.exe |
attackevals.mitre.org/cr-19.d.2-10.png.html | Telemetry showing a deletion event for recycler.exe via powershell.exe (tainted by a parent PowerShell alert, listed as Owner pr... |
attackevals.mitre.org/eg-19-3.png.html | Telemetry showing file deletion of recycler.exe |
attack.mitre.org/techniques/T1106/ | T1106 |
attack.mitre.org/techniques/T1105/ | T1105 |
attackevals.mitre.org/ct-19.a.1-2.png.html | Telemetry showing creation of recycler.exe (tainted by \"Powershell executed encoded commands\" and \"Policy Dropper Behavior\" ... |
attackevals.mitre.org/ct-19.a.1-1.png.html | General Behavior alert for \"Policy Dropper Behavior\" based on three correlated events |
attackevals.mitre.org/cs-19.a.1-3.png.html | Telemetry showing network connection from 192.168.0.5 (C2 server) used by powershell.exe to transfer recycler.exe (parent powers... |
attackevals.mitre.org/cs-19.a.1-1.png.html | Telemetry showing file write of recycler.exe (parent powershell.exe tainted by previous wscript.exe detection by red line indica... |
attackevals.mitre.org/cr-19.a.1-20.png.html | Telemetry showing file create/write of recycler.exe (tainted by a parent PowerShell alert, listed as Owner process) |
attackevals.mitre.org/cb-7.b.1-1.png.html | Telemetry showing updater.dll written to disk |
attackevals.mitre.org/ct-7.b.1-1.png.html | Telemetry showing creation of updater.dll (tainted by the parent \"Powershell process created\" alert) |
attackevals.mitre.org/cs-7.b.1-2.png.html | Additional telemetry showing file write for updater.dll |
attackevals.mitre.org/cs-7.b.1-1.png.html | Telemetry showing file write for updater.dll (tainted by the parent \"unexpected process\" alert) |
attackevals.mitre.org/cr-7.b.1-10.png.html | Telemetry showing the file write of updater.dll (tainted by a parent alert on cmd.exe, listed as Owner Process) |
attackevals.mitre.org/cr-7.b.1-11.png.html | Parent alert for updater.dll being detected as known malware |
attackevals.mitre.org/eg-07-1.png.html | Telemetry showing creation of updater.dll (tainted by parent Malicious File Detection alert) |
attackevals.mitre.org/fe-7.b.1-2.png.html | Telemetry showing updater.dll file write (tainted by parent AV signature alert) |
attackevals.mitre.org/fe-7.b.1-1.png.html | Enrichment of updater.dll file write by cmd.exe with alert for CMD File Write (tagged with correct ATT&CK Technique, T1105 - Re... |
attackevals.mitre.org/ms-7.b.1-1.png.html | Telemetry showing file write of updater.dll |
attackevals.mitre.org/rsa-07-1.png.html | Telemetry showing file write event of updater.dll |
attackevals.mitre.org/s1-7.b.1-1.png.html | Telemetry showing file write of updater.dll (tainted by relationship to threat story) |
attackevals.mitre.org/cb-16.e.1-1.png.html | Telemetry showing creation and write to autoupdate.vbs |
attackevals.mitre.org/ct-16.e.1-1.png.html | Telemetry showing powershell.exe creating autoupdate.vbs (tainted by parent \"Powershell executed remote commands\" alerts) |
attackevals.mitre.org/cs-16.e.1-1.png.html | Telemetry showing File Write and New Script Write for autoupdate.vbs within powershell.exe (tainted by previous detection by ora... |
attackevals.mitre.org/cr-16.e.1-10.png.html | Telemetry showing file write of autoupdate.vbs (tainted by a parent PowerShell alert, listed as Owner process) |
attackevals.mitre.org/eg-16-8.png.html | Telemetry showing creation of autoupdate.vbs (tainted by parent PowerShell alert) |
attackevals.mitre.org/fe-16.e.1-2.png.html | Additional details on enrichment of powershell.exe writing autoupdate.vbs with PowerShell File Write alert |
attackevals.mitre.org/fe-16.e.1-1.png.html | Enrichment of powershell.exe writing autoupdate.vbs with PowerShell File Write alert (tagged with correct ATT&CK Technique, T110... |
attackevals.mitre.org/ms-16.e.1-1.png.html | Telemetry showing autoupdate.vbs creation (tainted by parent alert on PowerShell script with suspicious content) |
attackevals.mitre.org/rsa-16-5.png.html | Telemetry showing file write of autoupdate.vbs |
attackevals.mitre.org/s1-16.e.1-2.png.html | Telemetry showing creation and writes to autoupdate.vbs |
attackevals.mitre.org/s1-16.e.1-1.png.html | Telemetry showing file event for autoupdate.vbs (tainted by relationship to threat story but Group ID not shown in this view) |
attackevals.mitre.org/cr-14.a.1-10.png.html | Specific Behavior alert for Download & execute of the wdbypass file |
attackevals.mitre.org/cb-16.g.1-1.png.html | Telemetry showing remote creation and write to update.vbs |
attackevals.mitre.org/ct-16.g.1-1.png.html | Enrichment of powershell.exe creating update.vbs (tainted by parent \"Powershell executed remote commands\" alerts) |
attackevals.mitre.org/cs-16.g.1-1.png.html | Telemetry showing update.vbs with event_name NewScriptWritten indicating a write to C$ |
attackevals.mitre.org/cr-16.g.1-10.png.html | Telemetry of file events for write of update.vbs to Creeper (10.0.0.4) (tainted by a parent PowerShell alert, listed as Owner pr... |
attackevals.mitre.org/fe-16.g.1-1.png.html | Enrichment of powershell.exe writing update.vbs with File Write to Network Share alert |
attackevals.mitre.org/fe-16.g.1-2.png.html | Excerpt from the Managed Defense Report of the write of the autoupdate.vbs script (Specific Behavior) |
attackevals.mitre.org/ms-16.g.1-1.png.html | Telemetry showing file creation of update.vbs on 10.0.0.4 (Creeper) |
attackevals.mitre.org/ms-16.g.1-2.png.html | Telemetry showing for remote creation of update.vbs on 10.0.0.4 (Creeper) from 10.0.1.5 (CodeRed) |
attackevals.mitre.org/s1-16.g.1-2.png.html | Telemetry showing create file event of update.vbs on 10.0.0.4 (Creeper) (tainted by relationship to threat story but Group ID no... |
attack.mitre.org/techniques/T1134/ | T1134 |
attackevals.mitre.org/cb-3.a.1-5.png.html | Telemetry showing svchost.exe activity related to token manipulation |
attackevals.mitre.org/cb-3.a.1-6.png.html | Telemetry showing svchost.exe command line arguments, specifically seclogon |
attackevals.mitre.org/cr-3.a.1-10.png.html | Telemetry showing the bypassuactoken.x64.dll was loaded (does not count as a detection) |
attackevals.mitre.org/eg-03-7.png.html | Telemetry showing svhost.exe seclogon event for token login id 0x5f997f7 (100243447) |
attackevals.mitre.org/cb-5.b.1-2.png.html | Telemetry showing parent cmd.exe process running under user context Debbie |
attackevals.mitre.org/cb-5.b.1-3.png.html | Telemetry showing child cmd.exe process running under user context George |
attackevals.mitre.org/cs-5.b.1-1.png.html | Telemetry showing children of the compromised process (PID 21898821890) first running as Debbie, then as George |
attackevals.mitre.org/cr-5.b.1-10.png.html | Telemetry within the process tree showing cmd.exe associated with users Debbie and George (tainted by a parent alert on explorer... |
attackevals.mitre.org/eg-05-7.png.html | Telemetry showing the cmd.exe that spawned as user George from rundll32.exe running as user Debbie (tainted by parent Privilege ... |
attackevals.mitre.org/eg-05-6.png.html | Specific Behavior alert on Privilege Escalation showing a process spawning (cmd.exe) with different tokens than the parent (rund... |
attackevals.mitre.org/fe-5.b.1-1.png.html | Telemetry showing the user George executing reg.exe with command-line arguments during Step 6 |
attackevals.mitre.org/ms-5.b.1-4.png.html | Alert for suspicious process injection showing tainted association via a process tree containing subsequent cmd.exe processes (i... |
attackevals.mitre.org/ms-5.b.1-2.png.html | Telemetry showing resulting cmd.exe running as user George |
attackevals.mitre.org/ms-5.b.1-1.png.html | Telemetry showing svchost.exe invocation with seclogon flag subsequently running cmd.exe as SYSTEM |
attack.mitre.org/techniques/T1064/ | T1064 |
attackevals.mitre.org/cb-1.a.1-3.png.html | Telemetry from process tree showing cmd.exe running the pdfhelper.cmd script |
attackevals.mitre.org/ct-1.a.1-4.png.html | Telemetry showing cmd.exe running pdfhelper.cmd (tainted by the Script File Created alert) |
attackevals.mitre.org/cs-1.a.1-7.png.html | Telemetry showing pdfhelper.cmd execution |
attackevals.mitre.org/cs-1.a.1-5.png.html | OverWatch General Behavior alert indicating pdfhelper.cmd execution was suspicious |
attackevals.mitre.org/cr-1.a.1-20.png.html | Telemetry showing cmd.exe launching pdfhelper.cmd (tainted by parent alert on explorer.exe) |
attackevals.mitre.org/eg-01-3.png.html | Telemetry showing pdfhelper.cmd spawned as a child process of Resume Viewer.exe (tainted by parent Malicious File Detection aler... |
attackevals.mitre.org/eg-01-9.png.html | Telemetry showing cmd.exe process creation and execution of pdfhelper.cmd (tainted by parent Malicious File Detection alert) |
attackevals.mitre.org/fe-1.a.1-2.png.html | Telemetry showing the child cmd.exe process running the pdfhelper.cmd script |
attackevals.mitre.org/ms-1.b.1-1.png.html | Telemetry showing write of autoupdate.bat to startup folder |
attackevals.mitre.org/s1-1.b.1-1.png.html | Telemetry showing autoupdate.bat write to the Startup folder (tainted by relationship to threat story) |
attackevals.mitre.org/cb-11.a.1-1.png.html | Enrichment of backgroundtaskhost.exe and powershell.exe with correct ATT&CK Technique (T1043 - Commonly Used Port) |
attackevals.mitre.org/cb-11.a.1-3.png.html | Specific Behavior alerts for Powershell scripting |
attackevals.mitre.org/cb-11.a.1-2.png.html | Telemetry showing process tree of script execution |
attackevals.mitre.org/ct-11.a.1-3.png.html | Telemetry showing powershell.exe creation from wscript.exe (tainted by the parent Script File Created alert) |
attackevals.mitre.org/ct-11.a.1-2.png.html | Telemetry showing script execution (tainted by the parent Script File Created alert) |
attackevals.mitre.org/cs-11.a.1-2.png.html | General Behavior alert from OverWatch for wscript.exe executing launcher.vbs was suspicious |
attackevals.mitre.org/cs-11.a.1-1.png.html | Specific Behavior alert for PowerShell sharing characteristics with known exploit kits |
attackevals.mitre.org/cr-11.a.1-14.png.html | Specific Behavior alert for powershell.exe, labeled with Command and Control and Malicious use of PowerShell |
attackevals.mitre.org/cr-11.a.1-12.png.html | Telemetry showing wscript.exe executing autoupdate.vbs (tainted by a parent PowerShell alert) |
attackevals.mitre.org/cr-11.a.1-11.png.html | Specific Behavior alert tagged as obfuscated PowerShell payload and downloader mapped to the correct ATT&CK Tactic (Execution) a... |
attackevals.mitre.org/eg-11-1.png.html | Specific Behavior alert for powershell.exe also showing telemetry for script execution (mapped to related ATT&CK Technique, T10... |
attackevals.mitre.org/eg-11-7.png.html | Specific Behavior alert for wscript.exe launching powershell.exe (mapped to the correct ATT&CK Technique, T1064 - Scripting, and... |
attackevals.mitre.org/fe-11.a.1-4.png.html | Indicator of Compromise alert for EMPIRE RAT (tagged with related ATT&CK Technique, T1086 - PowerShell) |
attackevals.mitre.org/fe-11.a.1-1.png.html | Enrichment of wscript.exe with Wscript Execution alert (tagged with correct ATT&CK Technique, T064 - Scripting, and Tactic, Exec... |
attackevals.mitre.org/fe-11.a.1-3.png.html | Additional details on Specific Behavior alert for Suspicious PowerShell Usage |
attackevals.mitre.org/fe-11.a.1-2.png.html | Specific Behavior alert for Suspicious PowerShell Usage showing powershell.exe execution (tagged with related ATT&CK Technique, ... |
attackevals.mitre.org/ms-11.a.1-8.png.html | Process tree of alert showing containing malicious PowerShell cmdlets related to Empire |
attackevals.mitre.org/ms-11.a.1-4.png.html | Telemetry showing PowerShell script metadata and decoded command-line arguments |
attackevals.mitre.org/ms-11.a.1-5.png.html | Specific Behavior alert for \"Suspicious PowerShell command-line\" |
attackevals.mitre.org/ms-11.a.1-6.png.html | Specific Behavior alert for \"PowerShell script with suspicious content\" detected through Antimalware Scan Interface extracted ... |
attackevals.mitre.org/ms-11.a.1-7.png.html | Specific Behavior alert for PowerShell script with malicious cmdlets |
attackevals.mitre.org/ms-11.a.1-1.png.html | Telemetry showing execution of autoupdate.vbs script |
attackevals.mitre.org/ms-11.a.1-2.png.html | Telemetry showing execution of wscript.exe |
attackevals.mitre.org/ms-11.a.1-3.png.html | Telemetry showing execution of PowerShell cmdlets from wscript.exe |
attackevals.mitre.org/rsa-11-1.png.html | Telemetry showing the autoupdate.vbs script executed by wscript.exe |
attackevals.mitre.org/s1-11.a.1-1.png.html | General Behavior alert for execution of autoupdate.vbs listed as an active threat |
attackevals.mitre.org/s1-11.a.1-2.png.html | Telemetry showing wscript.exe and powershell.exe |
attackevals.mitre.org/cb-12.e.1-2.png.html | Telemetry showing dynamically loaded libraries (modloads) that may indicate PowerShell functionality |
attackevals.mitre.org/cb-12.e.1-1.png.html | Telemetry showing powershell.exe execution |
attackevals.mitre.org/cs-12.e.1-1.png.html | Telemetry showing the temp write of the ps1 script |
attackevals.mitre.org/cs-12.e.1-3.png.html | Email excerpt from OverWatch team indicating they observed an unidentified PowerShell script running (Specific Behavior) |
attackevals.mitre.org/cs-12.e.1-4.png.html | OverWatch Specific Behavior alert indicating the PowerShell script was malicious |
attackevals.mitre.org/cr-12.e.1-100.png.html | Specific Behavior alert for Malicious use of PowerShell (tainted by a parent PowerShell alert) |
attackevals.mitre.org/cr-12.e.1-2.png.html | Telemetry showing the temp write of the psm1 script module (tainted by a parent PowerShell alert) |
attackevals.mitre.org/cr-12.e.1-1.png.html | Specific Behavior alert for a PowerShell Malicious command, identified as the Invoke-WinEnum function |
attackevals.mitre.org/eg-12-e-01.png.html | Telemetry pulled by Interactive Shell showing the contents of the WinEnum script (does not count as a detection) |
attackevals.mitre.org/fe-12.e.1-1.png.html | Enrichment of powershell.exe with PowerShell Execution alert (tagged with related ATT&CK Technique T1086 - PowerShell) |
attackevals.mitre.org/ms-12.e.1-5.png.html | Specific Behavior alert for \"A malicious PowerShell Cmdlet was invoked on the machine\" |
attack.mitre.org/techniques/T1003/ | T1003 |
attackevals.mitre.org/cb-5.a.1-4.png.html | Specific Behavior alert showing correct ATT&CK Technique (Credential Dumping) |
attackevals.mitre.org/cs-5.a.1-6.png.html | Specific Behavior alert for Credential Dumping and OverWatch General Behavior alert (tainted by previous detection by orange lin... |
attackevals.mitre.org/ms-5.a.1-2.png.html | Specific Behavior alert description for sensitive credential memory read |
attackevals.mitre.org/cs-5.a.2-4.png.html | Process tree view of Specific Behavior alerts for Credential Dumping and OverWatch General Behavior alert (tainted by previous d... |
attackevals.mitre.org/cs-5.a.2-1.png.html | Two Specific Behavior alerts for Credential Dumping (mapped to correct ATT&CK Technique, Credential Dumping, and Tactic, Credent... |
attack.mitre.org/techniques/T1041/ | T1041 |
attackevals.mitre.org/fe-9.b.1-1.png.html | DNS requests to freegoogleadsenseinfo.com (C2 domain) (does not count as a detection) |
attack.mitre.org/techniques/T1060/ | T1060 |
attackevals.mitre.org/cb-10.a.1-1.png.html | Telemetry from process tree showing cmd.exe executing autoupdate.bat from Startup folder |
attackevals.mitre.org/ct-10.a.1-2.png.html | Telemetry showing cmd.exe starting rundll32.exe |
attackevals.mitre.org/ct-10.a.1-3.png.html | Telemetry showing explorer.exe creating cmd.exe and executing .bat from startup |
attackevals.mitre.org/cs-10.a.1-1.png.html | Telemetry showing cmd.exe running autoupdate.bat from Startup folder |
attackevals.mitre.org/cr-10.a.1-10.png.html | Parent alert for Injected shellcode into rundll32.exe |
attackevals.mitre.org/cr-10.a.1-100.png.html | Telemetry showing rundll32.exe executing autoupdate.bat from the Startup folder (tainted by a parent Injected Shellcode alert) |
attackevals.mitre.org/eg-10-5.png.html | Telemetry showing rundll32.exe executing update.dat (tainted by parent \"RunDLL32 with Suspicious DLL Location\" alert) |
attackevals.mitre.org/fe-10.a.1-1.png.html | Enrichment of cmd.exe executing from Startup with Process Execution Startup alert (tagged with correct ATT&CK Technique, T1060 -... |
attackevals.mitre.org/fe-10.a.1-2.png.html | Telemetry showing cmd.exe executing autoupdate.bat from Startup folder |
attackevals.mitre.org/fe-10.a.1-3.png.html | Telemetry showing rundll32.exe executing update.dat (tainted by parent Rundll32 Execution alert) |
attackevals.mitre.org/fe-10.a.1-4.png.html | Additional details of rundll32.exe telemetry |
attackevals.mitre.org/fe-10.a.1-5.png.html | Excerpt from the Managed Defense Report indicating autoupdate.bat persisted due to its presence in startup (Specific Behavior) |
attackevals.mitre.org/ms-10.a.1-1.png.html | Telemetry showing Startup folder execution sequence for autoupdate.bat on user logon |
attackevals.mitre.org/rsa-10-1.png.html | Telemetry showing the execution of autoupdate.bat from the Startup Folder |
attackevals.mitre.org/s1-10.a.1-2.png.html | Telemetry showing execution of autoupdate.bat from the Startup folder |
attackevals.mitre.org/cb-1.b.1-1.png.html | Telemetry showing filemods indicating update.bat was written to the Startup folder |
attackevals.mitre.org/cb-1.b.1-2.png.html | Enrichment of cmd.exe with correct ATT&CK Technique (T1060 - Registry Run Keys/Start Folder) |
attackevals.mitre.org/ct-1.b.1-1.png.html | Telemetry showing autoupdate.bat created in Startup folder |
attackevals.mitre.org/cs-1.b.1-1.png.html | Telemetry showing Registry modification related to Startup Folder |
attackevals.mitre.org/cr-1.b.1-100.png.html | Process tree showing the cmd.exe associated with the autoupdate.bat file event (tainted by parent alert on explorer.exe) |
attackevals.mitre.org/cr-1.b.1-10.png.html | Telemetry showing rename file event for autoupdate.bat |
attackevals.mitre.org/eg-01-7.png.html | \"Detected Persistence - Start Folder Persistence\" Specific Behavior alert related to autoupdate.bat (tagged with correct ATT&C... |
attackevals.mitre.org/eg-01-8.png.html | Telemetry showing autoupdate.bat written to the Start Menu (tainted by parent Malicious File Detection alert) |
attackevals.mitre.org/fe-1.b.1-1.png.html | Telemetry showing autoupdate.bat file written to the Startup folder |
attackevals.mitre.org/fe-1.b.1-2.png.html | Enrichment of autoupdate.bat being written to Startup with Persistence category |
attackevals.mitre.org/fe-1.b.1-3.png.html | Additional details on enrichment of autoupdate.dat |
attackevals.mitre.org/fe-1.b.1-4.png.html | Excerpt from the Managed Defense Report indicating the backdoor persisted via autoupdate.bat being written to the Startup direct... |
attack.mitre.org/techniques/T1061/ | T1061 |
attackevals.mitre.org/cr-7.a.1-30.png.html | Telemetry showing lusrmgr.msc running from mmc.exe |
attack.mitre.org/techniques/T1048/ | T1048 |
attackevals.mitre.org/cb-19.c.1-2.png.html | Enrichment of ftp.exe with correct ATT&CK Technique (Exfil Over Alternate Protocol) |
attackevals.mitre.org/cb-19.c.1-1.png.html | Telemetry from process tree showing execution of ftp.exe with command-line arguments |
attackevals.mitre.org/ct-19.c.1-1.png.html | Telemetry showing powershell.exe executing ftp.exe (tainted by the parent \"Powershell executed encoded commands\" alert) |
attackevals.mitre.org/ct-19.c.1-2.png.html | Telemetry showing outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21 (tainted by the parent \"PowerShell executed... |
attackevals.mitre.org/cs-19.c.1-1.png.html | OverWatch General Behavior alert indicating ftp.exe executing with ftp.txt was suspicious (tainted by previous powershell.exe de... |
attackevals.mitre.org/cr-19.c.1-11.png.html | Enrichment of ftp.exe execution with related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used Port, Standard Ap... |
attackevals.mitre.org/cr-19.c.1-10.png.html | Enrichment of ftp.exe execution in process tree with related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used P... |
attackevals.mitre.org/cr-19.c.1-13.png.html | Continuation of enrichment of ftp.exe execution in process tree showing command-line arguments |
attackevals.mitre.org/cr-19.c.1-12.png.html | Continuation of enrichment of ftp.exe execution showing total number of bytes transmitted |
attackevals.mitre.org/eg-19-2.png.html | Telemetry showing the ftp.exe with command-line arguments including ftp.txt and subsequent connection to 192.168.0.4 (C2 server)... |
attackevals.mitre.org/fe-19.c.1-3.png.html | Enrichment of ftp.exe executing the ftp.txt file with FTP Utility Execution alert (tagged with the correct ATT&CK Software, S009... |
attackevals.mitre.org/fe-19.c.1-6.png.html | Excerpt from the Managed Defense Report showing the writing of FTP command to ftp.txt and the subsequent execution of the ftp.tx... |
attackevals.mitre.org/fe-19.c.1-5.png.html | Enrichment of TCP port 21 connection to 192.168.0.4 (C2 server) (tagged with correct ATT&CK Technique, T1048 - Exfiltration Over... |
attackevals.mitre.org/fe-19.c.1-4.png.html | Enrichment of ftp.exe executing ftp.exe based on the use of the -s argument with FTP Utility Execution alert |
attackevals.mitre.org/ms-19.c.1-2.png.html | Telemetry showing powreshell.exe running ftp.exe and the subsequent connection to 192.168.0.4 (C2 server) on port 21 |
attackevals.mitre.org/ms-19.c.1-1.png.html | Telemetry showing powreshell.exe running ftp.exe and the subsequent connection to 192.168.0.4 (C2 server) on port 20 |
attackevals.mitre.org/rsa-19-2.png.html | Telemetry showing the execution ftp.exe |
attackevals.mitre.org/s1-19.c.1-1.png.html | Telemetry showing the execution of ftp.exe with ftp.txt associated to prior lateral movement threat story by Group ID |
attack.mitre.org/techniques/T1063/ | T1063 |
attackevals.mitre.org/eg-12-e-09.png.html | Interactive Shell events showing the WinEnum script and the Firewall Rules function (does not count as a detection due to manual... |
attackevals.mitre.org/eg-12-e-08.png.html | Interactive Shell events showing the WinEnum script and the AV Solution function (does not count as a detection due to manual pr... |
attack.mitre.org/techniques/T1002/ | T1002 |
attackevals.mitre.org/cb-19.b.1-3.png.html | Process tree with telemetry showing recycler.exe and command-line arguments |
attackevals.mitre.org/cb-19.b.1-1.png.html | Telemetry showing filemod (file modification) creation of old.rar output of recycler.exe |
attackevals.mitre.org/cr-19.b.1-10.png.html | Telemetry showing recycler.exe execution (tainted by a parent PowerShell alert) |
attack.mitre.org/techniques/T1043/ | T1043 |
attackevals.mitre.org/cb-6.b.1-4.png.html | Enrichment of rundll32.exe TCP port 80 network connections with correct ATT&CK Technique (T1043 - Commonly Used Port) |
attackevals.mitre.org/cr-6.b.1-10.png.html | Enrichment of rundll32.exe making a connection over the \"HTTP Port\" with the correct ATT&CK Tactic (Command and Control) and T... |
attackevals.mitre.org/eg-06-2.png.html | Telemetry showing a TCP port 80 connection from rundll32.exe |
attackevals.mitre.org/fe-6.b.1-1.png.html | Telemetry showing port 80 connections to 192.168.0.4 (C2 server) |
attackevals.mitre.org/rsa-06-2.png.html | Telemetry showing TCP port 80 connections to freegoogleadsenseinfo.com (C2 domain) |
attackevals.mitre.org/cr-1.c.1-10.png.html | Telemetry showing port 53 command and control traffic |
attackevals.mitre.org/fe-1.c.1-1.png.html | Telemetry showing port 53 command and control traffic |
attackevals.mitre.org/fe-1.c.1-4.png.html | Excerpt from the Managed Defense Report indicating command and control occurred over UDP port 53 (Specific Behavior) |
attackevals.mitre.org/cb-14.a.1-3.png.html | Telemetry showing network connection to 192.168.0.5 (C2 server) over TCP port 8080 |
attackevals.mitre.org/cs-14.a.1-5.png.html | Telemetry showing IEX connection over to 192.168.0.5 (C2 server) on TCP port 8080 |
attackevals.mitre.org/eg-14-3.png.html | General Behavior alert for Command and Control associated with network traffic from PowerShell over TCP port 8080 |
attackevals.mitre.org/fe-14.a.1-9.png.html | Excerpt from the Managed Defense Report indicating Empire communicated over port 8080 (General Behavior) |
attackevals.mitre.org/rsa-14-2.png.html | Telemetry showing network connection to 192.168.0.5 (C2 server) over port 8080 |
attackevals.mitre.org/s1-14.a.1-2.png.html | Telemetry showing network connections over port 8080 in the filter (tainted by relationship to threat story but Group ID not sho... |
attackevals.mitre.org/cb-11.b.1-1.png.html | Telemetry showing network connections, including over TCP port 443 |
attackevals.mitre.org/cr-11.b.1-100.png.html | Enrichment of powershell.exe making a connection over a ”HTTP Port," tagged with the correct ATT&CK Technique (Commonly Used Por... |
attackevals.mitre.org/eg-11-3.png.html | Telemetry showing powershell.exe making connections over port 443 (tainted by parent alert) |
attackevals.mitre.org/eg-11-5.png.html | Specific Behavior alert for \"PowerShell Making Network Connections\" (mapped to correct ATT&CK Tactic, Command and Control) |
attackevals.mitre.org/fe-11.b.1-3.png.html | Excerpt from the Managed Defense Report indicating Empire communicated over port 443 (General Behavior) |
attackevals.mitre.org/fe-11.b.1-1.png.html | Telemetry showing powershell.exe communicating over TCP port 443 (tainted by parent PowerShell Network Connection alert) |
attackevals.mitre.org/ms-11.b.1-1.png.html | Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) |
attackevals.mitre.org/ms-11.a.1-9.png.html | Telemetry showing powershell.exe communicating over TCP port 443 |
attack.mitre.org/techniques/T1015/ | T1015 |
attackevals.mitre.org/cb-17.c.1-1.png.html | Telemetry showing creation and file write replacing magnify.exe in the system directory |
attackevals.mitre.org/ct-17.c.1-2.png.html | Telemetry showing copy of cmd.exe to magnify.exe in the system directory (tainted by the parent \"New Windows service created\" ... |
attackevals.mitre.org/ct-17.c.1-1.png.html | Enrichment showing powershell.exe creating and writing magnify.exe (enriched with condition \"Creation of Sticky Keys File\", ta... |
attackevals.mitre.org/cs-17.c.1-2.png.html | Additional view of telemetry showing the magnify.exe file write |
attackevals.mitre.org/cs-17.c.1-1.png.html | Telemetry showing file write of magnify.exe by powershell.exe (tainted by parent powershell.exe high severity alert indicated by... |
attackevals.mitre.org/cr-17.c.1-10.png.html | Telemetry showing creation and write events for magnify.exe (tainted by a parent PowerShell alert, listed as Owner process) |
attackevals.mitre.org/fe-17.c.1-1.png.html | Specific Behavior alert on overwrite of magnify.exe for Suspicious Accessibility Features Replacement (BACKDOOR) (tagged with co... |
attackevals.mitre.org/fe-17.c.1-3.png.html | Excerpt from the Managed Defense Report indicating the attacker overwrote magnifier.exe (Specific Behavior) |
attackevals.mitre.org/fe-17.c.1-2.png.html | Specific Behavior alert on overwrite of the magnify.exe for Accessibility Feature File Write (tagged with correct ATT&CK Techniq... |
attackevals.mitre.org/ms-17.c.1-1.png.html | Telemetry showing overwrite of magnify.exe |
attackevals.mitre.org/ms-17.c.1-2.png.html | Binary metadata and reputation information showing magnify.exe is cmd.exe due to names observed and common hash |
attackevals.mitre.org/ms-17.c.1-3.png.html | Specific Behavior alert on sticky keys binary hijack for persistence when magnify.exe was overwritten |
attackevals.mitre.org/rsa-17-2.png.html | Magnify.exe hash matches cmd.exe (top two hashes in Tracking pane, file names and full hash values cut off) |
attackevals.mitre.org/s1-17.c.1-1.png.html | Telemetry showing file copy and write events of cmd.exe to overwrite magnify.exe with matching hash values (tainted by prior lat... |
attackevals.mitre.org/cs-20.a.1-2.png.html | File details of magnify.exe in Accessibility Features Specific Behavior alert identifying it as cmd.exe by hash and common name |
attackevals.mitre.org/cs-20.a.1-1.png.html | Specific Behavior alert showing magnify.exe executing from utilman.exe (mapped to correct ATT&CK Technique, Accessibility Featur... |
attackevals.mitre.org/cr-20.a.1-11.png.html | Specific Behavior alert for magnify.exe, in process tree, masquerading as a Windows accessibility feature, mapped to the correct... |
attackevals.mitre.org/cr-20.a.1-10.png.html | Specific Behavior alert for magnify.exe masquerading as a Windows accessibility feature, mapped to the correct ATT&CK Tactic (Pe... |
attackevals.mitre.org/fe-20.a.1-3.png.html | General Behavior alert for RENAMED CMD.EXE |
attackevals.mitre.org/fe-20.a.1-4.png.html | Continued details for General Behavior alert for RENAMED CMD.EXE |
blogger.com/comment.g?blogID=7672604585980488566&postID=5535... | 0 comments |
blogger.com/email-post.g?blogID=7672604585980488566&postID=5... | |
blogger.com/post-edit.g?blogID=7672604585980488566&postID=55... | <img> |
feeds.feedburner.com/reply-to-all | Subscribe in a reader |
//blogger.com/rearrange?blogID=7672604585980488566&widgetTyp... nofollow | <img> |
//blogger.com/rearrange?blogID=7672604585980488566&widgetTyp... nofollow | <img> |
//blogger.com/rearrange?blogID=7672604585980488566&widgetTyp... nofollow | <img> |
schneier.com/blog/ | Schneier on Security |
securityfocus.com/ | Security Focus |
//blogger.com/rearrange?blogID=7672604585980488566&widgetTyp... nofollow | <img> |
Внутренние ссылки главной страницы ( 200 ) | |
reply-to-all.blogspot.com/ | Home |
reply-to-all.blogspot.com/2019/02/mitre-edr.html | MITRE оценила EDR, продолжение |
reply-to-all.blogspot.com/2018/12/mitre-edr.html | отмечалось |
reply-to-all.blogspot.com/search?updated-max=2019-02-23T18:1... | Older Posts |
reply-to-all.blogspot.com/feeds/posts/default | Posts (Atom) |
reply-to-all.blogspot.com/2019/ | 2019 |
reply-to-all.blogspot.com/2019/02/ | February |
reply-to-all.blogspot.com/2019/01/ | January |
reply-to-all.blogspot.com/2018/ | 2018 |
reply-to-all.blogspot.com/2018/12/ | December |
reply-to-all.blogspot.com/2018/11/ | November |
reply-to-all.blogspot.com/2018/10/ | October |
reply-to-all.blogspot.com/2018/09/ | September |
reply-to-all.blogspot.com/2018/08/ | August |
reply-to-all.blogspot.com/2018/07/ | July |
reply-to-all.blogspot.com/2018/06/ | June |
reply-to-all.blogspot.com/2018/05/ | May |
reply-to-all.blogspot.com/2018/04/ | April |
reply-to-all.blogspot.com/2018/03/ | March |
reply-to-all.blogspot.com/2018/02/ | February |
reply-to-all.blogspot.com/2018/01/ | January |
reply-to-all.blogspot.com/2017/ | 2017 |
reply-to-all.blogspot.com/2017/12/ | December |
reply-to-all.blogspot.com/2017/11/ | November |
reply-to-all.blogspot.com/2017/10/ | October |
reply-to-all.blogspot.com/2017/09/ | September |
reply-to-all.blogspot.com/2017/08/ | August |
reply-to-all.blogspot.com/2017/07/ | July |
reply-to-all.blogspot.com/2017/06/ | June |
reply-to-all.blogspot.com/2017/05/ | May |
reply-to-all.blogspot.com/2017/03/ | March |
reply-to-all.blogspot.com/2017/01/ | January |
reply-to-all.blogspot.com/2016/ | 2016 |
reply-to-all.blogspot.com/2016/12/ | December |
reply-to-all.blogspot.com/2016/11/ | November |
reply-to-all.blogspot.com/2016/10/ | October |
reply-to-all.blogspot.com/2016/07/ | July |
reply-to-all.blogspot.com/2016/05/ | May |
reply-to-all.blogspot.com/2016/04/ | April |
reply-to-all.blogspot.com/2016/02/ | February |
reply-to-all.blogspot.com/2016/01/ | January |
reply-to-all.blogspot.com/2015/ | 2015 |
reply-to-all.blogspot.com/2015/12/ | December |
reply-to-all.blogspot.com/2015/11/ | November |
reply-to-all.blogspot.com/2015/10/ | October |
reply-to-all.blogspot.com/2015/09/ | September |
reply-to-all.blogspot.com/2015/07/ | July |
reply-to-all.blogspot.com/2015/05/ | May |
reply-to-all.blogspot.com/2015/04/ | April |
reply-to-all.blogspot.com/2015/03/ | March |
reply-to-all.blogspot.com/2015/02/ | February |
reply-to-all.blogspot.com/2015/01/ | January |
reply-to-all.blogspot.com/2014/ | 2014 |
reply-to-all.blogspot.com/2014/12/ | December |
reply-to-all.blogspot.com/2014/11/ | November |
reply-to-all.blogspot.com/2014/10/ | October |
reply-to-all.blogspot.com/2014/07/ | July |
reply-to-all.blogspot.com/2014/06/ | June |
reply-to-all.blogspot.com/2014/05/ | May |
reply-to-all.blogspot.com/2014/04/ | April |
reply-to-all.blogspot.com/2014/03/ | March |
reply-to-all.blogspot.com/2014/01/ | January |
reply-to-all.blogspot.com/2013/ | 2013 |
reply-to-all.blogspot.com/2013/12/ | December |
reply-to-all.blogspot.com/2013/11/ | November |
reply-to-all.blogspot.com/2013/10/ | October |
reply-to-all.blogspot.com/2013/09/ | September |
reply-to-all.blogspot.com/2013/07/ | July |
reply-to-all.blogspot.com/2013/06/ | June |
reply-to-all.blogspot.com/2013/05/ | May |
reply-to-all.blogspot.com/2013/04/ | April |
reply-to-all.blogspot.com/2013/01/ | January |
reply-to-all.blogspot.com/2012/ | 2012 |
reply-to-all.blogspot.com/2012/12/ | December |
reply-to-all.blogspot.com/2012/11/ | November |
reply-to-all.blogspot.com/2012/10/ | October |
reply-to-all.blogspot.com/2012/09/ | September |
reply-to-all.blogspot.com/2012/07/ | July |
reply-to-all.blogspot.com/2012/06/ | June |
reply-to-all.blogspot.com/2012/05/ | May |
reply-to-all.blogspot.com/2012/04/ | April |
reply-to-all.blogspot.com/2012/03/ | March |
reply-to-all.blogspot.com/2012/02/ | February |
reply-to-all.blogspot.com/2012/01/ | January |
reply-to-all.blogspot.com/2011/ | 2011 |
reply-to-all.blogspot.com/2011/12/ | December |
reply-to-all.blogspot.com/2011/11/ | November |
reply-to-all.blogspot.com/2011/10/ | October |
reply-to-all.blogspot.com/2011/09/ | September |
reply-to-all.blogspot.com/2011/08/ | August |
reply-to-all.blogspot.com/2011/07/ | July |
reply-to-all.blogspot.com/2011/06/ | June |
reply-to-all.blogspot.com/2011/05/ | May |
reply-to-all.blogspot.com/2011/02/ | February |
reply-to-all.blogspot.com/2010/ | 2010 |
reply-to-all.blogspot.com/2010/11/ | November |
reply-to-all.blogspot.com/2010/10/ | October |
reply-to-all.blogspot.com/2010/09/ | September |
reply-to-all.blogspot.com/2010/04/ | April |
reply-to-all.blogspot.com/2010/03/ | March |
reply-to-all.blogspot.com/2009/ | 2009 |
reply-to-all.blogspot.com/2009/12/ | December |
reply-to-all.blogspot.com/2009/11/ | November |
reply-to-all.blogspot.com/2009/10/ | October |
reply-to-all.blogspot.com/2009/08/ | August |
reply-to-all.blogspot.com/2009/07/ | July |
reply-to-all.blogspot.com/2009/06/ | June |
reply-to-all.blogspot.com/2009/05/ | May |
reply-to-all.blogspot.com/2009/03/ | March |
reply-to-all.blogspot.com/2009/02/ | February |
reply-to-all.blogspot.com/2009/01/ | January |
reply-to-all.blogspot.com/2008/ | 2008 |
reply-to-all.blogspot.com/2008/12/ | December |
reply-to-all.blogspot.com/2008/11/ | November |
reply-to-all.blogspot.com/2008/10/ | October |
reply-to-all.blogspot.com/2008/08/ | August |
reply-to-all.blogspot.com/2008/07/ | July |
reply-to-all.blogspot.com/2008/06/ | June |
reply-to-all.blogspot.com/2008/03/ | March |
reply-to-all.blogspot.com/2008/02/ | February |
reply-to-all.blogspot.com/2008/01/ | January |
reply-to-all.blogspot.com/2007/ | 2007 |
reply-to-all.blogspot.com/2007/12/ | December |
reply-to-all.blogspot.com/2007/11/ | November |
reply-to-all.blogspot.com/2007/10/ | October |
reply-to-all.blogspot.com/2007/09/ | September |
reply-to-all.blogspot.com/2007/08/ | August |
reply-to-all.blogspot.com/2007/07/ | July |
reply-to-all.blogspot.com/2007/05/ | May |
reply-to-all.blogspot.com/2007/04/ | April |
reply-to-all.blogspot.com/2007/02/ | February |
reply-to-all.blogspot.com/2006/ | 2006 |
reply-to-all.blogspot.com/2006/01/ | January |
reply-to-all.blogspot.com/search/label/Enterprise%20Security | Enterprise Security |
reply-to-all.blogspot.com/search/label/Malware | Malware |
reply-to-all.blogspot.com/search/label/Fun | Fun |
reply-to-all.blogspot.com/search/label/SOC | SOC |
reply-to-all.blogspot.com/search/label/Monitoring | Monitoring |
reply-to-all.blogspot.com/search/label/Russia | Russia |
reply-to-all.blogspot.com/search/label/Audit | Audit |
reply-to-all.blogspot.com/search/label/Microsoft | Microsoft |
reply-to-all.blogspot.com/search/label/Web | Web |
reply-to-all.blogspot.com/search/label/APT | APT |
reply-to-all.blogspot.com/search/label/Security | Security |
reply-to-all.blogspot.com/search/label/Outsourcing | Outsourcing |
reply-to-all.blogspot.com/search/label/Log%20Analysis | Log Analysis |
reply-to-all.blogspot.com/search/label/Project%20Management | Project Management |
reply-to-all.blogspot.com/search/label/Software | Software |
reply-to-all.blogspot.com/search/label/Management | Management |
reply-to-all.blogspot.com/search/label/Society | Society |
reply-to-all.blogspot.com/search/label/IDS | IDS |
reply-to-all.blogspot.com/search/label/Opensource | Opensource |
reply-to-all.blogspot.com/search/label/Trends | Trends |
reply-to-all.blogspot.com/search/label/Elasticsearch | Elasticsearch |
reply-to-all.blogspot.com/search/label/Client%20security | Client security |
reply-to-all.blogspot.com/search/label/Kibana | Kibana |
reply-to-all.blogspot.com/search/label/News | News |
reply-to-all.blogspot.com/search/label/Enhancements | Enhancements |
reply-to-all.blogspot.com/search/label/Operations | Operations |
reply-to-all.blogspot.com/search/label/Programming | Programming |
reply-to-all.blogspot.com/search/label/Support | Support |
reply-to-all.blogspot.com/search/label/IDM | IDM |
reply-to-all.blogspot.com/search/label/Logstash | Logstash |
reply-to-all.blogspot.com/search/label/Technology | Technology |
reply-to-all.blogspot.com/search/label/Cryptography | Cryptography |
reply-to-all.blogspot.com/search/label/How-To | How-To |
reply-to-all.blogspot.com/search/label/Offtopic | Offtopic |
reply-to-all.blogspot.com/search/label/Operating%20Systems | Operating Systems |
reply-to-all.blogspot.com/search/label/Psychology | Psychology |
reply-to-all.blogspot.com/search/label/Risk%20Analysis | Risk Analysis |
reply-to-all.blogspot.com/search/label/Security%20Incidents | Security Incidents |
reply-to-all.blogspot.com/search/label/Apple | Apple |
reply-to-all.blogspot.com/search/label/Architecture | Architecture |
reply-to-all.blogspot.com/search/label/Clouds | Clouds |
reply-to-all.blogspot.com/search/label/Compliance | Compliance |
reply-to-all.blogspot.com/search/label/DLP%20and%20DRM%2FIRM | DLP and DRM/IRM |
reply-to-all.blogspot.com/search/label/Incident%20response | Incident response |
reply-to-all.blogspot.com/search/label/PKI | PKI |
reply-to-all.blogspot.com/search/label/Standards | Standards |
reply-to-all.blogspot.com/search/label/Tools | Tools |
reply-to-all.blogspot.com/search/label/Virtualization | Virtualization |
reply-to-all.blogspot.com/search/label/HR | HR |
reply-to-all.blogspot.com/search/label/ISS | ISS |
reply-to-all.blogspot.com/search/label/IoNA | IoNA |
reply-to-all.blogspot.com/search/label/Miscellaneous | Miscellaneous |
reply-to-all.blogspot.com/search/label/Mobile%20Devices | Mobile Devices |
reply-to-all.blogspot.com/search/label/Physical%20Security | Physical Security |
reply-to-all.blogspot.com/search/label/SAP | SAP |
reply-to-all.blogspot.com/search/label/Security%20Engineerin... | Security Engineering |
reply-to-all.blogspot.com/search/label/Social%20Engineering | Social Engineering |
reply-to-all.blogspot.com/search/label/Spam | Spam |
reply-to-all.blogspot.com/search/label/business%20idea | business idea |
reply-to-all.blogspot.com/search/label/Big%20Data | Big Data |
reply-to-all.blogspot.com/search/label/Cisco | Cisco |
reply-to-all.blogspot.com/search/label/Fingerprinting | Fingerprinting |
reply-to-all.blogspot.com/search/label/HITB%20conf | HITB conf |
reply-to-all.blogspot.com/search/label/Linux | Linux |
reply-to-all.blogspot.com/search/label/PHDays | PHDays |
reply-to-all.blogspot.com/search/label/Rootkits | Rootkits |
reply-to-all.blogspot.com/search/label/Wireless | Wireless |
User-agent: Mediapartners-Google
Disallow:
User-agent: *
Disallow: /search
Allow: /
Sitemap: http://reply-to-all.blogspot.com/sitemap.xml
США - 173.194.70.132
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Expires: Wed, 01 May 2019 17:14:25 GMT
Date: Wed, 01 May 2019 17:14:25 GMT
Cache-Control: private, max-age=0
Last-Modified: Tue, 09 Apr 2019 16:36:41 GMT
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
Кнопка для анализа сайта в один клик, для установки перетащите ссылку на "Панель закладок"