Covenant Wuauclt CreateRemoteThread Execution¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/10/12 |
Modification Date |
2020/10/12 |
Tactics |
[‘TA0005’] |
Techniques |
[‘T1218’] |
Tags |
[‘CreateRemoteThread’] |
Dataset Description¶
This dataset represents adversaries proxy executing code via the Windows Update client utility. In order to bypass rules looking for the binary reaching out directly to the Internet, this dataset shows the binary creating and running a thread in the virtual address space of another process via the CreateRemoteThread API.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
Notebooks¶
Notebooks created by the community leveraging the mordor datasets
Author |
Name |
Link |
---|---|---|
Threat Hunter Playbook |
Signed Binary Proxy Execution via CreateRemoteThread |
https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-201012183248.html |
Adversary View¶
Upload /filepath:"C:\ProgramData\SimpleInjection.dll"
ShellCmd /shellcommand:"C:\Windows\System32\wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\SimpleInjection.dll /RunHandlerComServe"
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/defense_evasion/host/covenant_lolbin_wuauclt_createremotethread.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7 |153 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12 |147 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10 |110 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13 |90 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10 |65 |
|WORKSTATION6.theshire.local|Security |4658 |64 |
|MORDORDC.theshire.local |Security |5158 |52 |
|WORKSTATION6.theshire.local|Security |5158 |45 |
|MORDORDC.theshire.local |Security |5156 |45 |
|WORKSTATION5.theshire.local|security |4658 |37 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational|12 |37 |
|WORKSTATION6.theshire.local|Security |4690 |32 |
|WORKSTATION6.theshire.local|Security |4663 |32 |
|WORKSTATION6.theshire.local|Security |4656 |32 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational|7 |30 |
|WORKSTATION5.theshire.local|security |5158 |28 |
|WORKSTATION6.theshire.local|Security |5156 |25 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational|10 |25 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational|3 |23 |
|WORKSTATION5.theshire.local|security |5156 |22 |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows