Covenant PowerShell Remoting Command

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/08/06

Modification Date

2020/09/20

Tactics

TA0002,TA0008

Techniques

T1021.006

Tags

PowerShell Remoting

Dataset Description

This dataset represents adversaries executing malicious code on remote hosts using PowerShell Remoting (WinRM).

Simulation Metadata

Tools

type

Name

Module

C2

Covenant

PowerShellRemotingCommand

Adversary View

[08/06/2020 15:56:13 UTC] PowerShellRemotingCommand completed

(wardog) > PowerShellRemotingCommand /computername:"WORKSTATION6" /command:"get-process" /domain:"theshire.local" /username:"pgustavo" /password:"W1n1!2019"

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName                     PSComputerName                

-------  ------    -----      -----     ------     --  -- -----------                     --------------                

    259      17     4712      24656       0.58   7996   2 ApplicationFrameHost            WORKSTATION6                  

    118       7     6396      10664       0.03   1356   0 conhost                         WORKSTATION6                  

    612      22     1720       4900       0.69    524   0 csrss                           WORKSTATION6                  

    168      11     1544       4164       0.06    604   1 csrss                           WORKSTATION6                  

    401      14     1664       5168       6.94   2528   2 csrss                           WORKSTATION6                  

    384      15     3648      13620       5.97   2888   2 ctfmon                          WORKSTATION6                  

    135       8     2016      12064       0.19   4952   2 dllhost                         WORKSTATION6                  

    235      22     5100      14172       0.33   5028   2 dllhost                         WORKSTATION6                  

    242      16     3776      12940       0.33   7864   2 dllhost                         WORKSTATION6                  

    665      24    17888      38728       0.27    588   1 dwm                             WORKSTATION6                  

    721      32    31996      69820      19.36   2512   2 dwm                             WORKSTATION6                  

  1961      75    43016     122660      26.72   4156   2 explorer                        WORKSTATION6                  

    32       5     1188       2072       0.03    880   1 fontdrvhost                     WORKSTATION6                  

    32       5     1260       2172       0.08    884   0 fontdrvhost                     WORKSTATION6                  

    32       7     3092       5864       0.75   4084   2 fontdrvhost                     WORKSTATION6                  

      0       0       60          8                 0   0 Idle                            WORKSTATION6                  

    632      34    17136      49032       0.48    608   1 LogonUI                         WORKSTATION6

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_psremoting_command.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)