Covenant Remote WMI Eventing ActiveScriptEventConsumers

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/07/24

Modification Date

2020/07/24

Tactics

TA0002,TA0008

Techniques

T1047

Tags

Remote WMI Eventing

Dataset Description

This dataset represents adversaries using WMI event subscriptions (ActiveScriptEventConsumers) remotely to move laterally.

Simulation Metadata

Tools

type

Name

Module

manual

shell

manual

Adversary View

None

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_wmi_remote_event_subscription_ActiveScriptEventConsumers.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)