Contents

Covenant SharpSC Start

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/08/06

Modification Date

2020/09/20

Tactics

[‘TA0008’]

Techniques

[‘T1021.002’]

Tags

[‘RPC StartService’, ‘SMB Svcctl’]

Dataset Description

This dataset represents adversaries remotely starting a service via RPC methods such as StartService over SMB named pipes such as svcctl.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

SharpSC

Adversary View

(wardog) > SharpSC /command:"action=start computername=WORKSTATION6 service=ikeext"

[*] Attempting to start service ikeext on WORKSTATION6...

[+] Successfully started ikeext on WORKSTATION6!

  DisplayName: IKE and AuthIP IPsec Keying Modules

  ServiceName: ikeext

  Status     : Running

  CanStop    : True

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_sharpsc_start_dcerpc_smb_svcctl.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |12     |2189 |
|MORDORDC.theshire.local    |Security                                |4658   |763  |
|MORDORDC.theshire.local    |Security                                |4690   |382  |
|MORDORDC.theshire.local    |Security                                |4656   |382  |
|MORDORDC.theshire.local    |Security                                |4663   |365  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |336  |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |7      |272  |
|MORDORDC.theshire.local    |Microsoft-Windows-PowerShell/Operational|4103   |169  |
|MORDORDC.theshire.local    |Windows PowerShell                      |800    |169  |
|WORKSTATION6.theshire.local|Security                                |4656   |108  |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |10     |98   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |84   |
|MORDORDC.theshire.local    |Security                                |4703   |71   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |60   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |59   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |41   |
|MORDORDC.theshire.local    |Security                                |5158   |37   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |13     |36   |
|MORDORDC.theshire.local    |Security                                |5156   |30   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |3      |29   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows
Covenant SharpWMI Exec Covenant Remote File Copy