SharpView PCRE.NET

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/10/29

Modification Date

2020/10/29

Tactics

TA0002

Techniques

T1059

Tags

None

Dataset Description

This dataset represents a threat actor leveraging SharpView and specific functions such as Get-ObjectAcl creating files and loading dlls related to PCRE.NET use.

Simulation Metadata

Tools

type

Name

Module

Manual

Cmd

Cmd

Adversary View

C:\ProgramData>SharpView.exe Get-ObjectAcl -SamAccountName "Domain Admins"
[Get-DomainSearcher] search base: LDAP://MORDORDC.THESHIRE.LOCAL/DC=THESHIRE,DC=LOCAL
[Get-DomainObjectAcl] Get-DomainObjectAcl filter string: (&(|(|(samAccountName=Domain Admins)(name=Domain Admins)(displayname=Domain Admins))))
ObjectDN                       : CN=Domain Admins,CN=Users,DC=theshire,DC=local
ObjectAceFlags                 : ObjectAceTypePresent, InheritedObjectAceTypePresent
ObjectAceType                  : 4c164200-20c0-11d0-a768-00aa006e0529
InheritedObjectAceType         : 4828cc14-1437-45bc-9b07-ad6f015e5f28
BinaryLength                   : 60
AceQualifier                   : AccessAllowed
IsCallback                     : False
OpaqueLength                   : 0
AccessMask                     : 16
SecurityIdentifier             : S-1-5-32-554
AceType                        : AccessAllowedObject
AceFlags                       : None
IsInherited                    : False
InheritanceFlags               : None
PropagationFlags               : None
AuditFlags                     : None
ObjectSID                      : S-1-5-21-3140987116-517580383-2541594433-512
ActiveDirectoryRights          : ReadProperty
..
.....

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/execution/host/cmd_sharpview_pcre_net.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)