DCOM RegisterXLL
Contents
DCOM RegisterXLL#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/09/18 |
Modification Date |
2020/09/18 |
Tactics |
|
Techniques |
|
Tags |
DCOM |
Dataset Description#
This dataset represents adversaries leveraging the COM Method RegisterXLL over DCOM to execute an XLL file remotely. The XLL file can exist on the target or externally in an UNC path such as \SERVER\FILES.
Datasets Downloads#
Type |
Link |
|---|---|
Host |
|
Network |
Adversary View#
(wardog) > ShellCmd /shellcommand:"C:\Users\pgustavo\Desktop\MoveExcelXLL.exe 172.18.39.6 C:\\programdata\calc.xll
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_dcom_registerxll.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)