DCOM RegisterXLL

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/09/18

Modification Date

2020/09/18

Tactics

TA0008

Techniques

T1021.003

Tags

DCOM

Dataset Description

This dataset represents adversaries leveraging the COM Method RegisterXLL over DCOM to execute an XLL file remotely. The XLL file can exist on the target or externally in an UNC path such as \SERVER\FILES.

Simulation Metadata

Tools

type

Name

Module

C2

Covenant

ShellCmd

Adversary View

(wardog) > ShellCmd /shellcommand:"C:\Users\pgustavo\Desktop\MoveExcelXLL.exe 172.18.39.6 C:\\programdata\calc.xll

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/covenant_dcom_registerxll.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)