Empire Net Domain Users¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/03/19 |
Modification Date |
2020/09/20 |
Tactics |
[‘TA0007’] |
Techniques |
[‘T1087.002’] |
Tags |
[‘Domain Users Enumeration’, ‘RPC SAMR EnumDomainUsers’] |
Dataset Description¶
This dataset represents adversaries enumerating all users that belong to a domain via RPC SAMR EnumDomainUsers.
Datasets Downloads¶
Dataset Type |
Link |
|---|---|
Host |
|
Host |
Simulation Plan¶
Environment |
Tool Type |
Module |
|---|---|---|
Mordor shire |
C2 |
shell |
Adversary View¶
(Empire: 1EHYPBVC) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
4SUZ8X62 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 4092 5/0.0 2020-09-21 21:59:29 http
1EHYPBVC ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 7456 5/0.0 2020-09-21 23:25:39 http
(Empire: agents) > interact 1EHYPBVC
(Empire: 1EHYPBVC) > shell net user /domain
[*] Tasked 1EHYPBVC to run TASK_SHELL
[*] Agent 1EHYPBVC tasked with task ID 5
(Empire: 1EHYPBVC) >
The request will be processed at a domain controller for domain theshire.local.
User accounts for \\MORDORDC.theshire.local
-------------------------------------------------------------------------------
dschrute Guest krbtgt
lrodriguez mscott nmartha
pbeesly pgustavo sbeavers
sysmonsvc wardog
The command completed successfully.
..Command execution completed.
(Empire: 1EHYPBVC) >
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/discovery/host/empire_shell_samr_EnumDomainUsers.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |160 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |98 |
|WORKSTATION5.theshire.local|Windows PowerShell |800 |75 |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103 |66 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |57 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |36 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |19 |
|MORDORDC.theshire.local |Security |5156 |17 |
|WORKSTATION5.theshire.local|security |5156 |10 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |10 |
|MORDORDC.theshire.local |Security |5158 |10 |
|WORKSTATION5.theshire.local|security |5158 |10 |
|MORDORDC.theshire.local |Security |4634 |5 |
|WORKSTATION6.theshire.local|security |5158 |4 |
|MORDORDC.theshire.local |Security |4624 |4 |
|MORDORDC.theshire.local |Security |4672 |4 |
|MORDORDC.theshire.local |Security |4627 |4 |
|WORKSTATION6.theshire.local|security |5156 |4 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |11 |3 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |3 |3 |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows