Empire Reg Dump SAM Hive

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/06/25

Modification Date

2019/06/25

Tactics

[‘TA0006’]

Techniques

[‘T1003.002’]

Tags

[‘SAM Rquest Handle’]

Dataset Description

This dataset represents adversaries with administrator privileges using the windows reg utility to dump the SAM registry hive.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

Interactive Session

None

Adversary View

(Empire: WE8XYD3K) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
WE8XYD3K ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5972   5/0.0    2020-09-22 08:27:49  http            

(Empire: agents) > interact WE8XYD3K
(Empire: WE8XYD3K) > shell reg save HKLM\sam sam
[*] Tasked WE8XYD3K to run TASK_SHELL
[*] Agent WE8XYD3K tasked with task ID 5
(Empire: WE8XYD3K) > 
The operation completed successfully.

..Command execution completed.

(Empire: WE8XYD3K) >

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/empire_shell_reg_dump_sam.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |293  |
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |109  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |108  |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |93   |
|MORDORDC.theshire.local    |Security                                |5158   |28   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |16   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |13   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |13   |
|MORDORDC.theshire.local    |Security                                |5156   |9    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |9    |
|WORKSTATION6.theshire.local|security                                |5158   |8    |
|WORKSTATION5.theshire.local|security                                |5158   |7    |
|WORKSTATION6.theshire.local|security                                |5156   |7    |
|WORKSTATION5.theshire.local|security                                |5156   |6    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |11     |3    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |9      |3    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |17     |1    |
|WORKSTATION5.theshire.local|security                                |4703   |1    |
|MORDORDC.theshire.local    |Security                                |4627   |1    |
|WORKSTATION5.theshire.local|security                                |4688   |1    |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows