RDP TaskManager LSASS Dump

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/10/27

Modification Date

2020/09/21

Tactics

[‘TA0006’]

Techniques

[‘T1003.001’]

Tags

[‘RDP Interactive’]

Dataset Description

This dataset represents adversaries using RDP and task manager interactively and dump the memory space of lsass.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Threat Hunter Playbook

Remote Interactive Task Manager LSASS Dump

https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-191030201010.html

Simulation Plan

Environment

Tool Type

Module

Mordor shire

Interactive Session

None

Adversary View

RDP to victim
Open Windows Task Manager as Administrator
Select lsass.exe
Right-click on lsass.exe and select “Create dump file”

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/rdp_interactive_taskmanager_lsass_dump.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname                   |Channel                             |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |1605 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |1253 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |847  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |434  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |357  |
|WORKSTATION5.theshire.local|security                            |4658   |153  |
|WORKSTATION5.theshire.local|security                            |4690   |84   |
|MORDORDC.theshire.local    |Security                            |5156   |72   |
|WORKSTATION5.theshire.local|security                            |4656   |70   |
|WORKSTATION5.theshire.local|security                            |4663   |61   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|9      |53   |
|WORKSTATION5.theshire.local|security                            |5158   |50   |
|MORDORDC.theshire.local    |Security                            |5158   |39   |
|WORKSTATION5.theshire.local|security                            |5156   |38   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|11     |37   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|18     |17   |
|WORKSTATION5.theshire.local|security                            |4688   |17   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|1      |17   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |16   |
|MORDORDC.theshire.local    |Security                            |4658   |16   |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows