Contents

Covenant SharpSC Stop Service

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/08/06

Modification Date

2020/08/06

Tactics

[‘TA0008’]

Techniques

[‘T1021.002’]

Tags

[‘RPC ControlService’, ‘Stop Service’, ‘SMB Svcctl’]

Dataset Description

This dataset represents a threat actor using the RPC ControlService method over SMB to stop a service.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

SharpSC

Adversary View

(wardog) > SharpSC /command:"action=stop computername=WORKSTATION6 service=ikeext"

[*] Attempting to stop service ikeext on WORKSTATION6...

[+] Successfully stopped ikeext on WORKSTATION6!

  DisplayName: IKE and AuthIP IPsec Keying Modules

  ServiceName: ikeext

  Status     : Stopped

  CanStop    : False
  https://github.com/djhohnstein/SharpSC

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_sharpsc_stop_dcerpc_smb_svcctl.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+---------------------------+------------------------------------+-------+-----+
|Hostname                   |Channel                             |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|7      |171  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |162  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |124  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |99   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |92   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |61   |
|MORDORDC.theshire.local    |Security                            |4658   |44   |
|WORKSTATION6.theshire.local|Security                            |4656   |43   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|12     |38   |
|MORDORDC.theshire.local    |Security                            |4703   |32   |
|WORKSTATION5.theshire.local|Security                            |5156   |30   |
|WORKSTATION6.theshire.local|Security                            |5156   |28   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |26   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|13     |24   |
|MORDORDC.theshire.local    |Security                            |5156   |24   |
|MORDORDC.theshire.local    |Security                            |4656   |22   |
|MORDORDC.theshire.local    |Security                            |4690   |22   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|10     |17   |
|MORDORDC.theshire.local    |Security                            |5158   |16   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|3      |16   |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows
Empire Over-Pass-The-Hash Empire Invoke DCOM ShellWindows