SharpView PCRE.NET
Contents
SharpView PCRE.NET#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/10/29 |
Modification Date |
2020/10/29 |
Tactics |
|
Techniques |
|
Tags |
None |
Dataset Description#
This dataset represents a threat actor leveraging SharpView and specific functions such as Get-ObjectAcl creating files and loading dlls related to PCRE.NET use.
Datasets Downloads#
Type |
Link |
|---|---|
Host |
Adversary View#
C:\ProgramData>SharpView.exe Get-ObjectAcl -SamAccountName "Domain Admins"
[Get-DomainSearcher] search base: LDAP://MORDORDC.THESHIRE.LOCAL/DC=THESHIRE,DC=LOCAL
[Get-DomainObjectAcl] Get-DomainObjectAcl filter string: (&(|(|(samAccountName=Domain Admins)(name=Domain Admins)(displayname=Domain Admins))))
ObjectDN : CN=Domain Admins,CN=Users,DC=theshire,DC=local
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
ObjectAceType : 4c164200-20c0-11d0-a768-00aa006e0529
InheritedObjectAceType : 4828cc14-1437-45bc-9b07-ad6f015e5f28
BinaryLength : 60
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 16
SecurityIdentifier : S-1-5-32-554
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None
ObjectSID : S-1-5-21-3140987116-517580383-2541594433-512
ActiveDirectoryRights : ReadProperty
..
.....
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/execution/host/cmd_sharpview_pcre_net.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)