.ipynb .pdf

repository open issue suggest edit

Binder Colab Live Code

Contents

Empire WDigest Downgrade

Metadata

Author	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2019/05/18
Modification Date	2020/09/20
Tactics	[‘TA0005’]
Techniques	[‘T1112’]
Tags	[‘Registry Modification’, ‘Windows Registry WDigest’]

Dataset Description

This dataset represents adversaries setting the UseLogonCredential property value from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest key to 1 to enable plain text passwords.

Datasets Downloads

Dataset Type	Link
Host	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/defense_evasion/host/empire_wdigest_downgrade.tar.gz

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author	Name	Link
Threat Hunter Playbook	WDigest Downgrade	https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190510202010.html

Simulation Plan

Environment	Tool Type	Module
Mordor shire	C2	wdigest_downgrade

Adversary View

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/defense_evasion/host/empire_wdigest_downgrade.tar.gz"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

CMSTP Proxy Execution HH Execution of Local Compiled HTML Payload