Covenant Remote File Copy

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/08/06

Modification Date

2020/08/06

Tactics

[‘TA0008’]

Techniques

[‘T1021.002’]

Tags

[‘SMB CreateRequest’]

Dataset Description

This dataset represents a threat actor remotely copying a file over SMB (CreateRequest).

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

Copy

Adversary View

[09/22/2020 18:53:30 UTC] Copy completed
(wardog) > Copy /source:"C:\Users\pgustavo\Desktop\GruntHTTP.exe" /destination:"\\WORKSTATION6\C$\ProgramData\GruntHTTP.exe"

Successfully copied file from: C:\Users\pgustavo\Desktop\GruntHTTP.exe to: \\WORKSTATION6\C$\ProgramData\GruntHTTP.exe

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_copy_smb_CreateRequest.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname                   |Channel                             |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |145  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |100  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |61   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |52   |
|MORDORDC.theshire.local    |Security                            |5158   |29   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |27   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |15   |
|WORKSTATION5.theshire.local|security                            |5158   |12   |
|MORDORDC.theshire.local    |Security                            |5156   |10   |
|WORKSTATION5.theshire.local|security                            |5156   |10   |
|WORKSTATION6.theshire.local|security                            |5156   |8    |
|WORKSTATION6.theshire.local|security                            |5158   |8    |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|11     |3    |
|WORKSTATION6.theshire.local|security                            |5145   |3    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|11     |2    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|3      |2    |
|WORKSTATION6.theshire.local|security                            |5140   |2    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|5      |2    |
|WORKSTATION5.theshire.local|security                            |4689   |2    |
|WORKSTATION6.theshire.local|security                            |4627   |1    |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows