Covenant PowerShell Remoting Command

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/08/06

Modification Date

2020/09/20

Tactics

[‘TA0002’, ‘TA0008’]

Techniques

[‘T1021.006’]

Tags

[‘PowerShell Remoting’]

Dataset Description

This dataset represents adversaries executing malicious code on remote hosts using PowerShell Remoting (WinRM).

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

PowerShellRemotingCommand

Adversary View

[08/06/2020 15:56:13 UTC] PowerShellRemotingCommand completed

(wardog) > PowerShellRemotingCommand /computername:"WORKSTATION6" /command:"get-process" /domain:"theshire.local" /username:"pgustavo" /password:"W1n1!2019"

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName                     PSComputerName                

-------  ------    -----      -----     ------     --  -- -----------                     --------------                

    259      17     4712      24656       0.58   7996   2 ApplicationFrameHost            WORKSTATION6                  

    118       7     6396      10664       0.03   1356   0 conhost                         WORKSTATION6                  

    612      22     1720       4900       0.69    524   0 csrss                           WORKSTATION6                  

    168      11     1544       4164       0.06    604   1 csrss                           WORKSTATION6                  

    401      14     1664       5168       6.94   2528   2 csrss                           WORKSTATION6                  

    384      15     3648      13620       5.97   2888   2 ctfmon                          WORKSTATION6                  

    135       8     2016      12064       0.19   4952   2 dllhost                         WORKSTATION6                  

    235      22     5100      14172       0.33   5028   2 dllhost                         WORKSTATION6                  

    242      16     3776      12940       0.33   7864   2 dllhost                         WORKSTATION6                  

    665      24    17888      38728       0.27    588   1 dwm                             WORKSTATION6                  

    721      32    31996      69820      19.36   2512   2 dwm                             WORKSTATION6                  

  1961      75    43016     122660      26.72   4156   2 explorer                        WORKSTATION6                  

    32       5     1188       2072       0.03    880   1 fontdrvhost                     WORKSTATION6                  

    32       5     1260       2172       0.08    884   0 fontdrvhost                     WORKSTATION6                  

    32       7     3092       5864       0.75   4084   2 fontdrvhost                     WORKSTATION6                  

      0       0       60          8                 0   0 Idle                            WORKSTATION6                  

    632      34    17136      49032       0.48    608   1 LogonUI                         WORKSTATION6

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_psremoting_command.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname                   |Channel                             |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |1611 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |450  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |364  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |284  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |177  |
|WORKSTATION6.theshire.local|Security                            |4656   |170  |
|WORKSTATION6.theshire.local|Security                            |4658   |152  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |94   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |90   |
|WORKSTATION6.theshire.local|Security                            |4690   |78   |
|WORKSTATION6.theshire.local|Security                            |4663   |49   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |47   |
|MORDORDC.theshire.local    |Security                            |5156   |45   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|12     |42   |
|WORKSTATION5.theshire.local|Security                            |5158   |41   |
|WORKSTATION5.theshire.local|Security                            |5156   |38   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|3      |36   |
|WORKSTATION6.theshire.local|Security                            |5158   |29   |
|WORKSTATION6.theshire.local|Security                            |5156   |29   |
|MORDORDC.theshire.local    |Security                            |5158   |28   |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows