.ipynb .pdf

repository open issue suggest edit

Binder Colab Live Code

Contents

Covenant SharpWMI Exec

Metadata

Author	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2019/05/18
Modification Date	2020/09/20
Tactics	[‘TA0002’, ‘TA0008’]
Techniques	[‘T1047’]
Tags	[‘WMI IWbemServices ExecMethod’]

Dataset Description

This dataset represents an adversary remotely executing code via WMI. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.

Datasets Downloads

Dataset Type	Link
Host	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_sharpwmi_create_dcerpc_wmi.zip
Network	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/network/covenant_sharpwmi_create_dcerpc_wmi.zip

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author	Name	Link

Simulation Plan

Environment	Tool Type	Module
Mordor shire	C2	SharpWMI

Adversary View

(wardog) > SharpWMI /command:"action=exec computername=WORKSTATION6 command=\"C:\\Windows\\System32\\GruntHTTP2.exe\""

[*] Host                           : WORKSTATION6

[*] Command                        : "C:\\Windows\\System32\\GruntHTTP2.exe"

[*] Creation of process returned   : 0

[*] Process ID                     : 3824

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_sharpwmi_create_dcerpc_wmi.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+---------------------------+------------------------------------+-------+-----+
|Hostname                   |Channel                             |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |492  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |391  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |230  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |150  |
|WORKSTATION6.theshire.local|Security                            |4656   |114  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |76   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|7      |74   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |66   |
|WORKSTATION6.theshire.local|Security                            |4658   |51   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|12     |45   |
|WORKSTATION6.theshire.local|Security                            |5156   |41   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |41   |
|MORDORDC.theshire.local    |Security                            |5158   |39   |
|WORKSTATION6.theshire.local|Security                            |5158   |37   |
|MORDORDC.theshire.local    |Security                            |5156   |37   |
|WORKSTATION5.theshire.local|Security                            |5156   |34   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|3      |33   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|13     |33   |
|MORDORDC.theshire.local    |Security                            |4658   |32   |
|WORKSTATION5.theshire.local|Security                            |5158   |28   |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows

Covenant Remote WMI Wbemcomn DLL Hijacking Remote Scheduled Task Modification