PowerShell HTTP Listener

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/11/02

Modification Date

2020/11/02

Tactics

[‘TA0002’]

Techniques

[‘T1059.001’]

Tags

None

Dataset Description

This dataset represents a threat actor using PowerShell to start an HTTP Listener on a compromised endpoint

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Lab VM

Manual

PowerShell

Adversary View

$Hso = New-Object Net.HttpListener
$Hso.Prefixes.Add("http://+:8000/")
$Hso.Start() 

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/execution/host/psh_powershell_httplistener.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+------------+------------------------------------+-------+-----+
|Hostname    |Channel                             |EventID|count|
+------------+------------------------------------+-------+-----+
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|10     |67   |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|13     |15   |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|12     |13   |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|7      |8    |
|WORKSTATION5|Security                            |5158   |3    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|22     |1    |
|WORKSTATION5|Security                            |5156   |1    |
|WORKSTATION5|Security                            |5154   |1    |
|WORKSTATION5|Security                            |1102   |1    |
+------------+------------------------------------+-------+-----+