PurpleSharp PE Injection CreateRemoteThread¶

Metadata¶


Author	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2020/10/23
Modification Date	2020/10/23
Tactics	[‘TA0004’, ‘TA0005’]
Techniques	[‘T1055.002’]
Tags	None

Dataset Description¶

This dataset represents threat actors injecting portable executables (PE) into processes via APIs such asVirtualAllocEx and WriteProcessMemory and running it on the virtual address space of another process via the CreateRemoteThread API.

Datasets Downloads¶

Dataset Type	Link
Host	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/defense_evasion/host/purplesharp_pe_injection_createremotethread.zip

Notebooks¶

Notebooks created by the community leveraging the mordor datasets

Author	Name	Link

Simulation Plan¶

Environment	Tool Type	Module
Lab VM	Manual	Cmd

Adversary View¶

C:\Users\wardog\Desktop>PurpleSharp.exe /t T1055.002
10/23/2020 03:12:04 [*]  Starting T1055.002 Simulation on WORKSTATION5
10/23/2020 03:12:04 [*]  Simulator running from C:\Users\wardog\Desktop\PurpleSharp.exe with PID:8972 as WORKSTATION5\wardog
10/23/2020 03:12:04 [*]  Process notepad.exe with PID:9908 started for the injection
10/23/2020 03:12:04 [*]  Calling OpenProcess on PID:9908
10/23/2020 03:12:04 [*]  Calling VirtualAllocEx on PID:9908
10/23/2020 03:12:04 [*]  Calling WriteProcessMemory on PID:9908
10/23/2020 03:12:04 [*]  Calling CreateRemoteThread on PID:9908
10/23/2020 03:12:04 [*]  Simulation Finished
10/23/2020 03:12:04 [*]  Playbook Finished

C:\Users\wardog\Desktop>

Explore Mordor Dataset¶

Initialize Analytics Engine¶

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File¶

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/defense_evasion/host/purplesharp_pe_injection_createremotethread.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data¶

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+------------+------------------------------------+-------+-----+
|Hostname    |Channel                             |EventID|count|
+------------+------------------------------------+-------+-----+
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|10     |253  |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|7      |241  |
|WORKSTATION5|Security                            |4658   |46   |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|13     |37   |
|WORKSTATION5|Security                            |4656   |24   |
|WORKSTATION5|Security                            |4690   |24   |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|12     |15   |
|WORKSTATION5|Security                            |5156   |12   |
|WORKSTATION5|Security                            |4663   |7    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|1      |6    |
|WORKSTATION5|Security                            |4688   |6    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|9      |4    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|11     |3    |
|WORKSTATION5|Security                            |5158   |2    |
|WORKSTATION5|System                              |104    |2    |
|WORKSTATION5|Security                            |4670   |2    |
|WORKSTATION5|Security                            |4673   |2    |
|WORKSTATION5|Security                            |4689   |1    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|5      |1    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|24     |1    |
+------------+------------------------------------+-------+-----+
only showing top 20 rows

Invoke BypassUAC FodHelper Empire Elevated WMI Eventing