Covenant PowerShell Remoting Command¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/08/06 |
Modification Date |
2020/09/20 |
Tactics |
|
Techniques |
[‘T1021.006’] |
Tags |
[‘PowerShell Remoting’] |
Dataset Description¶
This dataset represents adversaries executing malicious code on remote hosts using PowerShell Remoting (WinRM).
Datasets Downloads¶
Dataset Type |
Link |
|---|---|
Host |
|
Network |
Simulation Plan¶
Environment |
Tool Type |
Module |
|---|---|---|
Mordor shire |
C2 |
Adversary View¶
[08/06/2020 15:56:13 UTC] PowerShellRemotingCommand completed
(wardog) > PowerShellRemotingCommand /computername:"WORKSTATION6" /command:"get-process" /domain:"theshire.local" /username:"pgustavo" /password:"W1n1!2019"
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName PSComputerName
------- ------ ----- ----- ------ -- -- ----------- --------------
259 17 4712 24656 0.58 7996 2 ApplicationFrameHost WORKSTATION6
118 7 6396 10664 0.03 1356 0 conhost WORKSTATION6
612 22 1720 4900 0.69 524 0 csrss WORKSTATION6
168 11 1544 4164 0.06 604 1 csrss WORKSTATION6
401 14 1664 5168 6.94 2528 2 csrss WORKSTATION6
384 15 3648 13620 5.97 2888 2 ctfmon WORKSTATION6
135 8 2016 12064 0.19 4952 2 dllhost WORKSTATION6
235 22 5100 14172 0.33 5028 2 dllhost WORKSTATION6
242 16 3776 12940 0.33 7864 2 dllhost WORKSTATION6
665 24 17888 38728 0.27 588 1 dwm WORKSTATION6
721 32 31996 69820 19.36 2512 2 dwm WORKSTATION6
1961 75 43016 122660 26.72 4156 2 explorer WORKSTATION6
32 5 1188 2072 0.03 880 1 fontdrvhost WORKSTATION6
32 5 1260 2172 0.08 884 0 fontdrvhost WORKSTATION6
32 7 3092 5864 0.75 4084 2 fontdrvhost WORKSTATION6
0 0 60 8 0 0 Idle WORKSTATION6
632 34 17136 49032 0.48 608 1 LogonUI WORKSTATION6
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_psremoting_command.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10 |1611 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|12 |450 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|7 |364 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10 |284 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|13 |177 |
|WORKSTATION6.theshire.local|Security |4656 |170 |
|WORKSTATION6.theshire.local|Security |4658 |152 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13 |94 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12 |90 |
|WORKSTATION6.theshire.local|Security |4690 |78 |
|WORKSTATION6.theshire.local|Security |4663 |49 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7 |47 |
|MORDORDC.theshire.local |Security |5156 |45 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational|12 |42 |
|WORKSTATION5.theshire.local|Security |5158 |41 |
|WORKSTATION5.theshire.local|Security |5156 |38 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational|3 |36 |
|WORKSTATION6.theshire.local|Security |5158 |29 |
|WORKSTATION6.theshire.local|Security |5156 |29 |
|MORDORDC.theshire.local |Security |5158 |28 |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows