Covenant Remote WMI Wbemcomn DLL Hijacking¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/10/09 |
Modification Date |
2020/10/09 |
Tactics |
|
Techniques |
[‘T1047’] |
Tags |
[‘SMB CreateRequest’] |
Dataset Description¶
This dataset represents adversaries abusing a DLL hijack vulnerability found in the execution of the WMI provider host (wmiprvse.exe) for lateral movement.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
|
Network |
Notebooks¶
Notebooks created by the community leveraging the mordor datasets
Author |
Name |
Link |
---|---|---|
Threat Hunter Playbook |
Remote WMI Wbemcomn DLL Hijack |
https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html |
Adversary View¶
Copy /source:"C:\ProgramData\test.dll" /destination:"\\WORKSTATION6\C$\Windows\System32\wbem\wbemcomn.dll"
ShellCmd /shellcommand:"wmic /node:WORKSTATION6 os get"
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_wmi_wbemcomn_dll_hijack.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational |12 |2185 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational |10 |2089 |
|MORDORDC.theshire.local |Security |4658 |785 |
|MORDORDC.theshire.local |Security |4656 |393 |
|MORDORDC.theshire.local |Security |4690 |393 |
|MORDORDC.theshire.local |Security |4663 |365 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational |7 |361 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |294 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |193 |
|MORDORDC.theshire.local |Microsoft-Windows-PowerShell/Operational|4103 |169 |
|MORDORDC.theshire.local |Windows PowerShell |800 |169 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |157 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |157 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |113 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |108 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |79 |
|MORDORDC.theshire.local |Microsoft-Windows-PowerShell/Operational|4105 |73 |
|MORDORDC.theshire.local |Microsoft-Windows-PowerShell/Operational|4106 |73 |
|MORDORDC.theshire.local |Security |4703 |67 |
|MORDORDC.theshire.local |Security |5156 |60 |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows