Contents

Covenant ShellCmd InstallUtil

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/10/27

Modification Date

2020/09/19

Tactics

[‘TA0005’, ‘TA0002’]

Techniques

[‘T1218.004’]

Tags

[‘InstallUtil’, ‘LOLBin’]

Dataset Description

This dataset represents adversaries proxy executing code through InstallUtil, a trusted Windows utility.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

ShellCmd

Adversary View

Upload Task: GruntHTTP.dll -> C:\ProgramData\GruntHTTP.dll
(wardog) > ShellCmd /shellcommand:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /u c:\ProgramData\GruntHTTP.dll"

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/defense_evasion/host/covenant_installutil.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !

[+] Temporary SparkSQL View: mordorTable

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+---------------------------+------------------------------------+-------+-----+
|Hostname                   |Channel                             |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |313  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |219  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |213  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |120  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |112  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |82   |
|WORKSTATION5.theshire.local|Security                            |4658   |71   |
|MORDORDC.theshire.local    |Security                            |4658   |69   |
|WORKSTATION5.theshire.local|Security                            |5158   |41   |
|WORKSTATION6.theshire.local|security                            |5158   |38   |
|MORDORDC.theshire.local    |Security                            |5156   |37   |
|WORKSTATION5.theshire.local|Security                            |4690   |36   |
|WORKSTATION5.theshire.local|Security                            |4656   |36   |
|MORDORDC.theshire.local    |Security                            |4690   |34   |
|MORDORDC.theshire.local    |Security                            |4663   |34   |
|MORDORDC.theshire.local    |Security                            |4656   |34   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |32   |
|MORDORDC.theshire.local    |Security                            |5158   |29   |
|WORKSTATION5.theshire.local|Security                            |4663   |26   |
|WORKSTATION5.theshire.local|Security                            |5156   |20   |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows
Empire VBS Execution Persistence