Covenant Remote File Copy¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/08/06 |
Modification Date |
2020/08/06 |
Tactics |
[‘TA0008’] |
Techniques |
[‘T1021.002’] |
Tags |
[‘SMB CreateRequest’] |
Dataset Description¶
This dataset represents a threat actor remotely copying a file over SMB (CreateRequest).
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
|
Network |
Simulation Plan¶
Environment |
Tool Type |
Module |
---|---|---|
Mordor shire |
C2 |
Copy |
Adversary View¶
[09/22/2020 18:53:30 UTC] Copy completed
(wardog) > Copy /source:"C:\Users\pgustavo\Desktop\GruntHTTP.exe" /destination:"\\WORKSTATION6\C$\ProgramData\GruntHTTP.exe"
Successfully copied file from: C:\Users\pgustavo\Desktop\GruntHTTP.exe to: \\WORKSTATION6\C$\ProgramData\GruntHTTP.exe
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_copy_smb_CreateRequest.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|12 |145 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12 |100 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13 |61 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10 |52 |
|MORDORDC.theshire.local |Security |5158 |29 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10 |27 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|13 |15 |
|WORKSTATION5.theshire.local|security |5158 |12 |
|MORDORDC.theshire.local |Security |5156 |10 |
|WORKSTATION5.theshire.local|security |5156 |10 |
|WORKSTATION6.theshire.local|security |5156 |8 |
|WORKSTATION6.theshire.local|security |5158 |8 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|11 |3 |
|WORKSTATION6.theshire.local|security |5145 |3 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|11 |2 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|3 |2 |
|WORKSTATION6.theshire.local|security |5140 |2 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|5 |2 |
|WORKSTATION5.theshire.local|security |4689 |2 |
|WORKSTATION6.theshire.local|security |4627 |1 |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows