Windows

You can create your own Windows Mordor datasets by running a PowerShell script available in our scripts folder! A script that leverages the System.Diagnostics.Eventing.Reader.EventLogSession class to collect event logs locally and remotely

Requirements

Import Mordor Script

You can import the script directly from GitHub with the following command

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/OTRF/mordor/master/scripts/data-collectors/Mordor-WinEvents.ps1')

Clear Windows Events (Optional)

If you are working on a lab environment, you can first clear specific Windows event logs before run a simulation

@('Security','Microsoft-Windows-Sysmon/Operational') | Clear-WinEvents

Collect Windows Event Logs

Before running any simulations, I recommend to save the current time to a variable in order to filter the event logs after the simulation.

$FromDate = get-date

Now you are ready to run a simulation! Run it!

After running a simulation on your Windows endpoint, you can select specific event logs you want to collect data from

@('Security','Microsoft-Windows-Sysmon/Operational') | Export-WinEvents -EndDate $FromDate -OutputPath "MordorDataset_$(get-date -format yyyy-MM-ddTHHmmssff).json" -Verbose

You can also try to collect every single event from every event log available in your system that was created right after you set the $FromDate variable (Most likley events related to your simulation)

$FilterLogs = @('Microsoft-WindowsAzure-Diagnostics/Heartbeat','Microsoft-WindowsAzure-Diagnostics/GuestAgent','Microsoft-Windows-SystemDataArchiver/Diagnostic','Microsoft-Windows-DSC/Operational','Windows PowerShell','Microsoft-Windows-Kernel-IO/Operational','Microsoft-Windows-PowerShell/Operational')

Get-WinEvent -ListLog * | Where-Object {$_.LogName -notin $FilterLogs} |Where-Object {$_.RecordCount -gt 0} | Select-Object -ExpandProperty LogName | Export-WinEvents -EndDate $FromDate -OutputPath "MordorDataset_$(get-date -format yyyy-MM-ddTHHmmssff).json" -ErrorAction SilentlyContinue

That’s it! Now, what I would highly recommend is to explore your events and validate the creation of events related to the adversary behavior through your own research. Once you are confident the dataset contains the events related to the adversary behavior, open a PR to the project and we would be happy to review the dataset and add it to our library!