Contents

DCOM RegisterXLL

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/09/18

Modification Date

2020/09/18

Tactics

[‘TA0008’]

Techniques

[‘T1021.003’]

Tags

[‘DCOM’]

Dataset Description

This dataset represents adversaries leveraging the COM Method RegisterXLL over DCOM to execute an XLL file remotely. The XLL file can exist on the target or externally in an UNC path such as \SERVER\FILES.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

ShellCmd

Adversary View

(wardog) > ShellCmd /shellcommand:"C:\Users\pgustavo\Desktop\MoveExcelXLL.exe 172.18.39.6 C:\\programdata\calc.xll

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_dcom_registerxll.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |882  |
|MORDORDC.theshire.local    |Security                                |4658   |767  |
|MORDORDC.theshire.local    |Security                                |4656   |384  |
|MORDORDC.theshire.local    |Security                                |4690   |384  |
|MORDORDC.theshire.local    |Security                                |4663   |367  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |345  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |325  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |222  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |177  |
|MORDORDC.theshire.local    |Windows PowerShell                      |800    |169  |
|MORDORDC.theshire.local    |Microsoft-Windows-PowerShell/Operational|4103   |169  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |166  |
|WORKSTATION6.theshire.local|security                                |4658   |126  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |79   |
|MORDORDC.theshire.local    |Security                                |4703   |71   |
|WORKSTATION6.theshire.local|security                                |4656   |67   |
|WORKSTATION6.theshire.local|security                                |4690   |63   |
|WORKSTATION6.theshire.local|security                                |4663   |63   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |62   |
|MORDORDC.theshire.local    |Security                                |5156   |48   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows
Covenant Remote WMI Wbemcomn DLL Hijacking Covenant SharpWMI Exec