PurpleSharp PE Injection CreateRemoteThread

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/10/23

Modification Date

2020/10/23

Tactics

TA0004,TA0005

Techniques

T1055.002

Tags

None

Dataset Description

This dataset represents threat actors injecting portable executables (PE) into processes via APIs such asVirtualAllocEx and WriteProcessMemory and running it on the virtual address space of another process via the CreateRemoteThread API.

Simulation Metadata

Tools

type

Name

Module

Manual

Cmd

Cmd

Adversary View

C:\Users\wardog\Desktop>PurpleSharp.exe /t T1055.002
10/23/2020 03:12:04 [*]  Starting T1055.002 Simulation on WORKSTATION5
10/23/2020 03:12:04 [*]  Simulator running from C:\Users\wardog\Desktop\PurpleSharp.exe with PID:8972 as WORKSTATION5\wardog
10/23/2020 03:12:04 [*]  Process notepad.exe with PID:9908 started for the injection
10/23/2020 03:12:04 [*]  Calling OpenProcess on PID:9908
10/23/2020 03:12:04 [*]  Calling VirtualAllocEx on PID:9908
10/23/2020 03:12:04 [*]  Calling WriteProcessMemory on PID:9908
10/23/2020 03:12:04 [*]  Calling CreateRemoteThread on PID:9908
10/23/2020 03:12:04 [*]  Simulation Finished
10/23/2020 03:12:04 [*]  Playbook Finished

C:\Users\wardog\Desktop>

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/purplesharp_pe_injection_createremotethread.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)