SUSPICIOUS ACTIVITY (28 categories, 1048 events)
ANDRE: a1bab5c7-166a-466d-9226-e37d9eb3c369
These are suspicious events that can be directly attributed to the attack.
Name Trickery (3 events)
Use of process names that are designed to hide their extension as being executables (for example: invoice.pdf.exe). Malware use this technique to trick users into thinking that an executable file is a document or image, enticing them to open it.

System Information Discovery (1 event)
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. (T1082)

Command and Scripting Interpreter: PowerShell (15 events)
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. (T1059.001)

Indicator Removal on Host: File Deletion (15 events)
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (T1070.004)

Persistence (1 event)
The incident performed persistence actions to ensure execution after system boot. Persistence is performed by setting specific system registry keys or by creating files in specific system folders.

Command and Scripting Interpreter: Windows Command Shell (6 events)
Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task). (T1059.003)

Process Discovery (31 events)
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. (T1057)

Application Window Discovery (21 events)
Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger. (T1010)

Process Termination (3 events)
Used to terminate a running process, malware often utilize this process to ensure that they terminate one of their processes and then delete it.

Process in AppData (3 events)
Process was saved in the AppData folder which is a common location for malware to run.

Process in Temp (3 events)
Process was saved in the Temp folder which is a common location for malware to run.

Commonly Used Port (3 events)
Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as (T1043)

Encrypted Channel: Asymmetric Cryptography (3 events)
Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver's public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal. (T1573.002)

Masquerading (3 events)
Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous. Adversaries may also use the same icon of the file they are trying to mimic. (T1036)

Masquerading: Invalid Code Signature (1 event)
Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files. Unlike Code Signing, this activity will not result in a valid signature. (T1036.001)

Process Injection: Portable Executable Injection (1 event)
Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. (T1055.002)

Archive Collected Data (2 events)
An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. (T1560)

User Execution: Malicious File (1 event)
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. [cntrl9][cntrl9][cntrl9]Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it. [cntrl9][cntrl9][cntrl9]While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. (T1204.002)

Dropped Script (15 events)
One or more script files were created.

Native API (164 events)
Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters. (T1106)

Non-Standard Port (1 event)
Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. (T1571)

Dangerous Execution (59 events)
System processes, such as cmd.exe, are being executed. While these processes can be loaded legitimately, their use is relatively rare and is often used by malware.

Unsigned Process (4 events)
There are many legitimate processes that the developers did not sign. However, please note that the vast majority of malware is unsigned.

Dropped Executable (11 events)
One or more executable files were created.

Dropped Dll (15 events)
One or more Dll files were created.

Modify Registry (9 events)
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution. (T1112)

Subvert Trust Controls: Code Signing (161 events)
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity will result in a valid signature. Code signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. Code signing certificates may be used to bypass security policies that require signed code to execute on a system. (T1553.002)

Query Registry (493 events)
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. (T1012)