Covenant SharpSC Query

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/08/06

Modification Date

2020/08/06

Tactics

[‘TA0008’]

Techniques

[‘T1021.002’]

Tags

[‘RPC EnumServiceStatusW’, ‘SMB Svcctl’]

Dataset Description

This dataset represents a threat actor leveraging the RPC method EnumServiceStatusW over SMB svcctl to query the status of a service on a remote endpoint..

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

SharpSC

Adversary View

(wardog) > SharpSC /command:"action=query computername=WORKSTATION6 service=ikeext"

[+] Service information for IKEEXT on WORKSTATION6:

  DisplayName: IKE and AuthIP IPsec Keying Modules
  ServiceName: IKEEXT
  Status     : Stopped
  CanStop    : False

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_sharpsc_query_dcerpc_smb_svcctl.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname                   |Channel                             |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|7      |91   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |25   |
|WORKSTATION5.theshire.local|Security                            |5156   |21   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|12     |19   |
|MORDORDC.theshire.local    |Security                            |5156   |16   |
|WORKSTATION6.theshire.local|Security                            |5156   |16   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |14   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|13     |13   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |11   |
|MORDORDC.theshire.local    |Security                            |5158   |11   |
|WORKSTATION5.theshire.local|Security                            |5158   |10   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|10     |8    |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|3      |7    |
|WORKSTATION6.theshire.local|Security                            |4656   |7    |
|MORDORDC.theshire.local    |Security                            |4658   |6    |
|WORKSTATION6.theshire.local|Security                            |5157   |5    |
|MORDORDC.theshire.local    |Security                            |4634   |4    |
|MORDORDC.theshire.local    |Security                            |4627   |4    |
|MORDORDC.theshire.local    |Security                            |4672   |4    |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |4    |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows