Covenant SharpSC Start¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/08/06 |
Modification Date |
2020/09/20 |
Tactics |
[‘TA0008’] |
Techniques |
[‘T1021.002’] |
Tags |
[‘RPC StartService’, ‘SMB Svcctl’] |
Dataset Description¶
This dataset represents adversaries remotely starting a service via RPC methods such as StartService over SMB named pipes such as svcctl.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
|
Network |
Adversary View¶
(wardog) > SharpSC /command:"action=start computername=WORKSTATION6 service=ikeext"
[*] Attempting to start service ikeext on WORKSTATION6...
[+] Successfully started ikeext on WORKSTATION6!
DisplayName: IKE and AuthIP IPsec Keying Modules
ServiceName: ikeext
Status : Running
CanStop : True
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_sharpsc_start_dcerpc_smb_svcctl.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational |12 |2189 |
|MORDORDC.theshire.local |Security |4658 |763 |
|MORDORDC.theshire.local |Security |4690 |382 |
|MORDORDC.theshire.local |Security |4656 |382 |
|MORDORDC.theshire.local |Security |4663 |365 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |336 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational |7 |272 |
|MORDORDC.theshire.local |Microsoft-Windows-PowerShell/Operational|4103 |169 |
|MORDORDC.theshire.local |Windows PowerShell |800 |169 |
|WORKSTATION6.theshire.local|Security |4656 |108 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational |10 |98 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |84 |
|MORDORDC.theshire.local |Security |4703 |71 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |60 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |59 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |41 |
|MORDORDC.theshire.local |Security |5158 |37 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational |13 |36 |
|MORDORDC.theshire.local |Security |5156 |30 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational |3 |29 |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows