Empire Net Domain Users

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/03/19

Modification Date

2020/09/20

Tactics

[‘TA0007’]

Techniques

[‘T1087.002’]

Tags

[‘Domain Users Enumeration’, ‘RPC SAMR EnumDomainUsers’]

Dataset Description

This dataset represents adversaries enumerating all users that belong to a domain via RPC SAMR EnumDomainUsers.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

shell

Adversary View

(Empire: 1EHYPBVC) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
4SUZ8X62 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         4092   5/0.0    2020-09-21 21:59:29  http            
1EHYPBVC ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         7456   5/0.0    2020-09-21 23:25:39  http            

(Empire: agents) > interact 1EHYPBVC

(Empire: 1EHYPBVC) > shell net user /domain
[*] Tasked 1EHYPBVC to run TASK_SHELL
[*] Agent 1EHYPBVC tasked with task ID 5
(Empire: 1EHYPBVC) > 
The request will be processed at a domain controller for domain theshire.local.

User accounts for \\MORDORDC.theshire.local

-------------------------------------------------------------------------------
dschrute                 Guest                    krbtgt                   
lrodriguez               mscott                   nmartha                  
pbeesly                  pgustavo                 sbeavers                 
sysmonsvc                wardog                   
The command completed successfully.

..Command execution completed.

(Empire: 1EHYPBVC) > 

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/discovery/host/empire_shell_samr_EnumDomainUsers.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |160  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |98   |
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |75   |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |66   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |57   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |36   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |19   |
|MORDORDC.theshire.local    |Security                                |5156   |17   |
|WORKSTATION5.theshire.local|security                                |5156   |10   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |10   |
|MORDORDC.theshire.local    |Security                                |5158   |10   |
|WORKSTATION5.theshire.local|security                                |5158   |10   |
|MORDORDC.theshire.local    |Security                                |4634   |5    |
|WORKSTATION6.theshire.local|security                                |5158   |4    |
|MORDORDC.theshire.local    |Security                                |4624   |4    |
|MORDORDC.theshire.local    |Security                                |4672   |4    |
|MORDORDC.theshire.local    |Security                                |4627   |4    |
|WORKSTATION6.theshire.local|security                                |5156   |4    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |11     |3    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |3      |3    |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows