DCOM RegisterXLL¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/09/18 |
Modification Date |
2020/09/18 |
Tactics |
[‘TA0008’] |
Techniques |
[‘T1021.003’] |
Tags |
[‘DCOM’] |
Dataset Description¶
This dataset represents adversaries leveraging the COM Method RegisterXLL over DCOM to execute an XLL file remotely. The XLL file can exist on the target or externally in an UNC path such as \SERVER\FILES.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
|
Network |
Adversary View¶
(wardog) > ShellCmd /shellcommand:"C:\Users\pgustavo\Desktop\MoveExcelXLL.exe 172.18.39.6 C:\\programdata\calc.xll
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_dcom_registerxll.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |882 |
|MORDORDC.theshire.local |Security |4658 |767 |
|MORDORDC.theshire.local |Security |4656 |384 |
|MORDORDC.theshire.local |Security |4690 |384 |
|MORDORDC.theshire.local |Security |4663 |367 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |345 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |325 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |222 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |177 |
|MORDORDC.theshire.local |Windows PowerShell |800 |169 |
|MORDORDC.theshire.local |Microsoft-Windows-PowerShell/Operational|4103 |169 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |166 |
|WORKSTATION6.theshire.local|security |4658 |126 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |79 |
|MORDORDC.theshire.local |Security |4703 |71 |
|WORKSTATION6.theshire.local|security |4656 |67 |
|WORKSTATION6.theshire.local|security |4690 |63 |
|WORKSTATION6.theshire.local|security |4663 |63 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |62 |
|MORDORDC.theshire.local |Security |5156 |48 |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows