Empire Net Local Users¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/03/19 |
Modification Date |
2020/09/20 |
Tactics |
[‘TA0007’] |
Techniques |
[‘T1087.001’] |
Tags |
[‘Local Users Enumeration’] |
Dataset Description¶
This dataset represents adversaries enumerating all local users on an endpoint
Datasets Downloads¶
Dataset Type |
Link |
|---|---|
Host |
Simulation Plan¶
Environment |
Tool Type |
Module |
|---|---|---|
Mordor shire |
C2 |
[shell](net user) |
Adversary View¶
(Empire: 1EHYPBVC) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
4SUZ8X62 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 4092 5/0.0 2020-09-21 21:59:29 http
1EHYPBVC ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 7456 5/0.0 2020-09-21 23:25:39 http
(Empire: agents) > interact 1EHYPBVC
(Empire: 1EHYPBVC) > shell net user
[*] Tasked 1EHYPBVC to run TASK_SHELL
[*] Agent 1EHYPBVC tasked with task ID 3
(Empire: 1EHYPBVC) >
User accounts for \\WORKSTATION5
-------------------------------------------------------------------------------
DefaultAccount Guest wardog
WDAGUtilityAccount
The command completed successfully.
..Command execution completed.
(Empire: 1EHYPBVC) >
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/discovery/host/empire_shell_net_local_users.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |724 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |167 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |139 |
|WORKSTATION5.theshire.local|Windows PowerShell |800 |116 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |105 |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103 |101 |
|WORKSTATION6.theshire.local|security |4703 |82 |
|WORKSTATION6.theshire.local|security |4658 |62 |
|WORKSTATION6.theshire.local|security |4656 |52 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |36 |
|MORDORDC.theshire.local |Security |5156 |33 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |32 |
|WORKSTATION6.theshire.local|security |5158 |26 |
|WORKSTATION6.theshire.local|security |5156 |24 |
|MORDORDC.theshire.local |System |16968 |19 |
|MORDORDC.theshire.local |Security |5158 |18 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |17 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |13 |
|WORKSTATION6.theshire.local|security |4690 |10 |
|WORKSTATION5.theshire.local|security |5158 |10 |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows