PowerShell HTTP Listener¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/11/02 |
Modification Date |
2020/11/02 |
Tactics |
[‘TA0002’] |
Techniques |
[‘T1059.001’] |
Tags |
None |
Dataset Description¶
This dataset represents a threat actor using PowerShell to start an HTTP Listener on a compromised endpoint
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
Simulation Plan¶
Environment |
Tool Type |
Module |
---|---|---|
Lab VM |
Manual |
PowerShell |
Adversary View¶
$Hso = New-Object Net.HttpListener
$Hso.Prefixes.Add("http://+:8000/")
$Hso.Start()
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/execution/host/psh_powershell_httplistener.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+------------+------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+------------+------------------------------------+-------+-----+
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|10 |67 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|13 |15 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|12 |13 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|7 |8 |
|WORKSTATION5|Security |5158 |3 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|22 |1 |
|WORKSTATION5|Security |5156 |1 |
|WORKSTATION5|Security |5154 |1 |
|WORKSTATION5|Security |1102 |1 |
+------------+------------------------------------+-------+-----+