.ipynb .pdf

repository open issue suggest edit

Binder Colab Live Code

Contents

DCOM RegisterXLL

Metadata

Author	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2020/09/18
Modification Date	2020/09/18
Tactics	[‘TA0008’]
Techniques	[‘T1021.003’]
Tags	[‘DCOM’]

Dataset Description

This dataset represents adversaries leveraging the COM Method RegisterXLL over DCOM to execute an XLL file remotely. The XLL file can exist on the target or externally in an UNC path such as \SERVER\FILES.

Datasets Downloads

Dataset Type	Link
Host	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_dcom_registerxll.zip
Network	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/network/covenant_dcom_registerxll.zip

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author	Name	Link

Simulation Plan

Environment	Tool Type	Module
Mordor shire	C2	ShellCmd

Adversary View

(wardog) > ShellCmd /shellcommand:"C:\Users\pgustavo\Desktop\MoveExcelXLL.exe 172.18.39.6 C:\\programdata\calc.xll

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_dcom_registerxll.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |882  |
|MORDORDC.theshire.local    |Security                                |4658   |767  |
|MORDORDC.theshire.local    |Security                                |4656   |384  |
|MORDORDC.theshire.local    |Security                                |4690   |384  |
|MORDORDC.theshire.local    |Security                                |4663   |367  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |345  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |325  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |222  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |177  |
|MORDORDC.theshire.local    |Windows PowerShell                      |800    |169  |
|MORDORDC.theshire.local    |Microsoft-Windows-PowerShell/Operational|4103   |169  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |166  |
|WORKSTATION6.theshire.local|security                                |4658   |126  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |79   |
|MORDORDC.theshire.local    |Security                                |4703   |71   |
|WORKSTATION6.theshire.local|security                                |4656   |67   |
|WORKSTATION6.theshire.local|security                                |4690   |63   |
|WORKSTATION6.theshire.local|security                                |4663   |63   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |62   |
|MORDORDC.theshire.local    |Security                                |5156   |48   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows

Covenant Remote WMI Wbemcomn DLL Hijacking Covenant SharpWMI Exec