Python HTTP Server¶

Metadata¶


Author	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2020/10/29
Modification Date	2020/10/29
Tactics	[‘TA0002’]
Techniques	[‘T1059’]
Tags	None

Dataset Description¶

This dataset represents threat actors adding a FW inbound rule and starting a Python HTTP Server.

Datasets Downloads¶

Dataset Type	Link
Host	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/psh_python_webserver.zip

Notebooks¶

Notebooks created by the community leveraging the mordor datasets

Author	Name	Link

Simulation Plan¶

Environment	Tool Type	Module
Lab VM	Manual	PowerShell

Adversary View¶

Add Firewall Rule
-----------------
PS > & netsh advfirewall firewall add rule name="python.exe" dir=in action=allow description="python.exe" program="C:\users\wardog\appdata\local\programs\python\python39\python.exe" enable=yes localport=any protocol=tcp remoteip=any
Ok.    

PS > & netsh advfirewall firewall add rule name="python.exe" dir=in action=allow description="python.exe" program="C:\users\wardog\appdata\local\programs\python\python39\python.exe" enable=yes localport=any protocol=udp remoteip=any
Ok.

Start HTTP Server
-----------------
PS > python -m http.server 8000

Serving HTTP on :: port 8000 (http://[::]:8000/) ...

Explore Mordor Dataset¶

Initialize Analytics Engine¶

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File¶

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/psh_python_webserver.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

Get to know your data¶

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

Empire Invoke PSRemoting Empire Invoke DCOM ShellWindows