UI Prompt For Credentials Function¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/10/20 |
Modification Date |
2020/10/20 |
Tactics |
|
Techniques |
[‘T1056.002’] |
Tags |
[‘art.2b162bfd-0928-4d4c-9ec3-4d9f88374b52’] |
Dataset Description¶
This dataset represents adversaries leveraging functions such as CredUIPromptForCredentials to create and display a configurable dialog box that accepts credentials information from a user.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
Simulation Plan¶
Environment |
Tool Type |
Module |
---|---|---|
Lab VM |
Manual |
Adversary View¶
PS > $cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName)
PS > write-warning $cred.GetNetworkCredential().Password
WARNING: testing
PS >
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/psh_input_capture_promptforcreds.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+------------+------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+------------+------------------------------------+-------+-----+
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|10 |98 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|13 |18 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|7 |16 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|12 |15 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|11 |7 |
|WORKSTATION5|Security |5156 |2 |
|WORKSTATION5|Security |5158 |2 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|9 |1 |
|WORKSTATION5|Security |5379 |1 |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|23 |1 |
|WORKSTATION5|Security |1102 |1 |
|WORKSTATION5|System |104 |1 |
+------------+------------------------------------+-------+-----+