Empire WDigest Downgrade¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/05/18 |
Modification Date |
2020/09/20 |
Tactics |
[‘TA0005’] |
Techniques |
[‘T1112’] |
Tags |
[‘Registry Modification’, ‘Windows Registry WDigest’] |
Dataset Description¶
This dataset represents adversaries setting the UseLogonCredential property value from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest key to 1 to enable plain text passwords.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
Notebooks¶
Notebooks created by the community leveraging the mordor datasets
Author |
Name |
Link |
---|---|---|
Threat Hunter Playbook |
WDigest Downgrade |
https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190510202010.html |
Simulation Plan¶
Environment |
Tool Type |
Module |
---|---|---|
Mordor shire |
C2 |
Adversary View¶
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/defense_evasion/host/empire_wdigest_downgrade.tar.gz"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)