Contents

Python HTTP Server

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/10/29

Modification Date

2020/10/29

Tactics

[‘TA0002’]

Techniques

[‘T1059’]

Tags

None

Dataset Description

This dataset represents threat actors adding a FW inbound rule and starting a Python HTTP Server.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Lab VM

Manual

PowerShell

Adversary View

Add Firewall Rule
-----------------
PS > & netsh advfirewall firewall add rule name="python.exe" dir=in action=allow description="python.exe" program="C:\users\wardog\appdata\local\programs\python\python39\python.exe" enable=yes localport=any protocol=tcp remoteip=any
Ok.    

PS > & netsh advfirewall firewall add rule name="python.exe" dir=in action=allow description="python.exe" program="C:\users\wardog\appdata\local\programs\python\python39\python.exe" enable=yes localport=any protocol=udp remoteip=any
Ok.

Start HTTP Server
-----------------
PS > python -m http.server 8000

Serving HTTP on :: port 8000 (http://[::]:8000/) ...

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/execution/host/psh_python_webserver.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+------------+------------------------------------+-------+-----+
|Hostname    |Channel                             |EventID|count|
+------------+------------------------------------+-------+-----+
|WORKSTATION5|Security                            |4658   |642  |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|10     |451  |
|WORKSTATION5|Security                            |4656   |322  |
|WORKSTATION5|Security                            |4663   |320  |
|WORKSTATION5|Security                            |4690   |320  |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|7      |254  |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|12     |28   |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|13     |23   |
|WORKSTATION5|Security                            |5447   |8    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|11     |4    |
|WORKSTATION5|Security                            |5158   |4    |
|WORKSTATION5|Security                            |5156   |4    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|1      |3    |
|WORKSTATION5|Security                            |4688   |3    |
|WORKSTATION5|Security                            |4946   |2    |
|WORKSTATION5|Security                            |4689   |2    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|5      |2    |
|WORKSTATION5|Security                            |5154   |1    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|22     |1    |
|WORKSTATION5|Security                            |1102   |1    |
+------------+------------------------------------+-------+-----+
Remote Scheduled Task Creation Empire Invoke DCOM ShellWindows