Python HTTP Server¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/10/29 |
Modification Date |
2020/10/29 |
Tactics |
[‘TA0002’] |
Techniques |
[‘T1059’] |
Tags |
None |
Dataset Description¶
This dataset represents threat actors adding a FW inbound rule and starting a Python HTTP Server.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
Simulation Plan¶
Environment |
Tool Type |
Module |
---|---|---|
Lab VM |
Manual |
PowerShell |
Adversary View¶
Add Firewall Rule
-----------------
PS > & netsh advfirewall firewall add rule name="python.exe" dir=in action=allow description="python.exe" program="C:\users\wardog\appdata\local\programs\python\python39\python.exe" enable=yes localport=any protocol=tcp remoteip=any
Ok.
PS > & netsh advfirewall firewall add rule name="python.exe" dir=in action=allow description="python.exe" program="C:\users\wardog\appdata\local\programs\python\python39\python.exe" enable=yes localport=any protocol=udp remoteip=any
Ok.
Start HTTP Server
-----------------
PS > python -m http.server 8000
Serving HTTP on :: port 8000 (http://[::]:8000/) ...
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/execution/host/psh_python_webserver.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+------------+------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+------------+------------------------------------+-------+-----+
|WORKSTATION5|Security |4658 |642 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|10 |451 |
|WORKSTATION5|Security |4656 |322 |
|WORKSTATION5|Security |4663 |320 |
|WORKSTATION5|Security |4690 |320 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|7 |254 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|12 |28 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|13 |23 |
|WORKSTATION5|Security |5447 |8 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|11 |4 |
|WORKSTATION5|Security |5158 |4 |
|WORKSTATION5|Security |5156 |4 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|1 |3 |
|WORKSTATION5|Security |4688 |3 |
|WORKSTATION5|Security |4946 |2 |
|WORKSTATION5|Security |4689 |2 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|5 |2 |
|WORKSTATION5|Security |5154 |1 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|22 |1 |
|WORKSTATION5|Security |1102 |1 |
+------------+------------------------------------+-------+-----+