Empire Net Local Administrators Group¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/03/19 |
Modification Date |
2020/09/20 |
Tactics |
[‘TA0007’] |
Techniques |
[‘T1069.001’] |
Tags |
[‘Local Administrators Group Enumeration’] |
Dataset Description¶
This dataset represents adversaries enumerating members of the local Administratrors group via the net.exe utility
Datasets Downloads¶
Dataset Type |
Link |
|---|---|
Host |
Simulation Plan¶
Environment |
Tool Type |
Module |
|---|---|---|
Mordor shire |
C2 |
[shell](net localgroup Administrators) |
Adversary View¶
(Empire: 1EHYPBVC) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
4SUZ8X62 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 4092 5/0.0 2020-09-21 21:59:29 http
1EHYPBVC ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 7456 5/0.0 2020-09-21 23:18:05 http
(Empire: agents) > interact 1EHYPBVC
(Empire: 1EHYPBVC) > shell net localgroup Administrators
[*] Tasked 1EHYPBVC to run TASK_SHELL
[*] Agent 1EHYPBVC tasked with task ID 2
(Empire: 1EHYPBVC) >
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
THESHIRE\Domain Admins
wardog
The command completed successfully.
..Command execution completed.
(Empire: 1EHYPBVC) >
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/discovery/host/empire_shell_net_localgroup_administrators.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+------------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |360 |
|WORKSTATION5.theshire.local|Windows PowerShell |800 |67 |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational |4103 |59 |
|MORDORDC.theshire.local |Security |4703 |52 |
|MORDORDC.theshire.local |Microsoft-Windows-WMI-Activity/Operational|5858 |47 |
|WORKSTATION6.theshire.local|security |4673 |44 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |40 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |35 |
|MORDORDC.theshire.local |Security |5158 |23 |
|MORDORDC.theshire.local |Security |4658 |16 |
|MORDORDC.theshire.local |Security |5156 |16 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |11 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |11 |
|MORDORDC.theshire.local |Security |4663 |8 |
|MORDORDC.theshire.local |Security |4656 |8 |
|MORDORDC.theshire.local |Security |4690 |8 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |9 |6 |
|WORKSTATION5.theshire.local|security |5156 |6 |
|WORKSTATION5.theshire.local|security |5158 |6 |
|MORDORDC.theshire.local |Security |4627 |5 |
+---------------------------+------------------------------------------+-------+-----+
only showing top 20 rows