Empire Enable RDP¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/05/18 |
Modification Date |
2020/09/20 |
Tactics |
[‘TA0005’] |
Techniques |
[‘T1112’] |
Tags |
[‘Registry Modification’, ‘Windows Registry RDP Settings’] |
Dataset Description¶
This dataset represents adversaries enabling RDP and adding a firewall exception to a compromised system
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
Simulation Plan¶
Environment |
Tool Type |
Module |
---|---|---|
Mordor shire |
C2 |
Adversary View¶
(Empire: TKV35P8X) > usemodule management/enable_rdp*
(Empire: powershell/management/enable_rdp) > info
Name: Enable-RDP
Module: powershell/management/enable_rdp
NeedsAdmin: True
OpsecSafe: False
Language: powershell
MinLanguageVersion: 2
Background: False
OutputExtension: None
Authors:
@harmj0y
Description:
Enables RDP on the remote machine and adds a firewall
exception.
Options:
Name Required Value Description
---- -------- ------- -----------
Agent True TKV35P8X Agent to run module on.
(Empire: powershell/management/enable_rdp) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked TKV35P8X to run TASK_CMD_WAIT
[*] Agent TKV35P8X tasked with task ID 21
[*] Tasked agent TKV35P8X to run module powershell/management/enable_rdp
(Empire: powershell/management/enable_rdp) > The operation completed successfully.
(Empire: powershell/management/enable_rdp) >
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/defense_evasion/host/empire_enable_rdp.tar.gz"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)