Covenant ShellCmd InstallUtil¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/10/27 |
Modification Date |
2020/09/19 |
Tactics |
|
Techniques |
[‘T1218.004’] |
Tags |
[‘InstallUtil’, ‘LOLBin’] |
Dataset Description¶
This dataset represents adversaries proxy executing code through InstallUtil, a trusted Windows utility.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
Adversary View¶
Upload Task: GruntHTTP.dll -> C:\ProgramData\GruntHTTP.dll
(wardog) > ShellCmd /shellcommand:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /u c:\ProgramData\GruntHTTP.dll"
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/defense_evasion/host/covenant_installutil.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13 |313 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10 |219 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|13 |213 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7 |120 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10 |112 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12 |82 |
|WORKSTATION5.theshire.local|Security |4658 |71 |
|MORDORDC.theshire.local |Security |4658 |69 |
|WORKSTATION5.theshire.local|Security |5158 |41 |
|WORKSTATION6.theshire.local|security |5158 |38 |
|MORDORDC.theshire.local |Security |5156 |37 |
|WORKSTATION5.theshire.local|Security |4690 |36 |
|WORKSTATION5.theshire.local|Security |4656 |36 |
|MORDORDC.theshire.local |Security |4690 |34 |
|MORDORDC.theshire.local |Security |4663 |34 |
|MORDORDC.theshire.local |Security |4656 |34 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|12 |32 |
|MORDORDC.theshire.local |Security |5158 |29 |
|WORKSTATION5.theshire.local|Security |4663 |26 |
|WORKSTATION5.theshire.local|Security |5156 |20 |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows