RDP TaskManager LSASS Dump¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/10/27 |
Modification Date |
2020/09/21 |
Tactics |
[‘TA0006’] |
Techniques |
[‘T1003.001’] |
Tags |
[‘RDP Interactive’] |
Dataset Description¶
This dataset represents adversaries using RDP and task manager interactively and dump the memory space of lsass.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
Notebooks¶
Notebooks created by the community leveraging the mordor datasets
Author |
Name |
Link |
---|---|---|
Threat Hunter Playbook |
Remote Interactive Task Manager LSASS Dump |
https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-191030201010.html |
Simulation Plan¶
Environment |
Tool Type |
Module |
---|---|---|
Mordor shire |
Interactive Session |
None |
Adversary View¶
RDP to victim
Open Windows Task Manager as Administrator
Select lsass.exe
Right-click on lsass.exe and select “Create dump file”
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/rdp_interactive_taskmanager_lsass_dump.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10 |1605 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12 |1253 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7 |847 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13 |434 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10 |357 |
|WORKSTATION5.theshire.local|security |4658 |153 |
|WORKSTATION5.theshire.local|security |4690 |84 |
|MORDORDC.theshire.local |Security |5156 |72 |
|WORKSTATION5.theshire.local|security |4656 |70 |
|WORKSTATION5.theshire.local|security |4663 |61 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|9 |53 |
|WORKSTATION5.theshire.local|security |5158 |50 |
|MORDORDC.theshire.local |Security |5158 |39 |
|WORKSTATION5.theshire.local|security |5156 |38 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|11 |37 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|18 |17 |
|WORKSTATION5.theshire.local|security |4688 |17 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|1 |17 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|12 |16 |
|MORDORDC.theshire.local |Security |4658 |16 |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows