SharpView PCRE.NET

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/10/29

Modification Date

2020/10/29

Tactics

[‘TA0002’]

Techniques

[‘T1059’]

Tags

None

Dataset Description

This dataset represents a threat actor leveraging SharpView and specific functions such as Get-ObjectAcl creating files and loading dlls related to PCRE.NET use.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Lab VM

Manual

Cmd

Adversary View

C:\ProgramData>SharpView.exe Get-ObjectAcl -SamAccountName "Domain Admins"
[Get-DomainSearcher] search base: LDAP://MORDORDC.THESHIRE.LOCAL/DC=THESHIRE,DC=LOCAL
[Get-DomainObjectAcl] Get-DomainObjectAcl filter string: (&(|(|(samAccountName=Domain Admins)(name=Domain Admins)(displayname=Domain Admins))))
ObjectDN                       : CN=Domain Admins,CN=Users,DC=theshire,DC=local
ObjectAceFlags                 : ObjectAceTypePresent, InheritedObjectAceTypePresent
ObjectAceType                  : 4c164200-20c0-11d0-a768-00aa006e0529
InheritedObjectAceType         : 4828cc14-1437-45bc-9b07-ad6f015e5f28
BinaryLength                   : 60
AceQualifier                   : AccessAllowed
IsCallback                     : False
OpaqueLength                   : 0
AccessMask                     : 16
SecurityIdentifier             : S-1-5-32-554
AceType                        : AccessAllowedObject
AceFlags                       : None
IsInherited                    : False
InheritanceFlags               : None
PropagationFlags               : None
AuditFlags                     : None
ObjectSID                      : S-1-5-21-3140987116-517580383-2541594433-512
ActiveDirectoryRights          : ReadProperty
..
.....

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/execution/host/cmd_sharpview_pcre_net.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname                   |Channel                             |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |85   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |49   |
|WORKSTATION5.theshire.local|security                            |4658   |34   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |23   |
|WORKSTATION5.theshire.local|security                            |4656   |17   |
|WORKSTATION5.theshire.local|security                            |4690   |17   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |12   |
|WORKSTATION5.theshire.local|security                            |4663   |6    |
|WORKSTATION5.theshire.local|security                            |5158   |6    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|11     |4    |
|WORKSTATION5.theshire.local|security                            |5156   |3    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|22     |3    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|23     |1    |
|WORKSTATION5.theshire.local|security                            |1102   |1    |
|WORKSTATION5.theshire.local|security                            |4688   |1    |
|WORKSTATION5.theshire.local|security                            |4689   |1    |
|WORKSTATION5.theshire.local|security                            |4673   |1    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|3      |1    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|5      |1    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|1      |1    |
+---------------------------+------------------------------------+-------+-----+