.ipynb .pdf

repository open issue suggest edit

Binder Colab Live Code

Contents

Empire Shell Net Domain Admins

Metadata

Author	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2019/05/18
Modification Date	2020/09/20
Tactics	[‘TA0007’]
Techniques	[‘T1069.002’]
Tags	[‘Domain Groups Enumeration’, ‘RPC SAMR SamrQueryInformationGroup’]

Dataset Description

This dataset represents adversaries enumerating members of domain groups (i.e. Domain Admins) via RPC SAMR interface over SMB. Some of the main RPC methods captured over the network are SamrLookupNamesInDomain (Opnum 17) and SamrQueryInformationGroup (Opnum 20) where there are indicators about the specific group name enumerated.

Datasets Downloads

Dataset Type	Link
Host	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/discovery/host/empire_shell_rpc_samr_smb_group_domain_admins_standard_user.zip
network	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/discovery/network/empire_shell_rpc_samr_smb_group_domain_admins_standard_user.zip

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author	Name	Link

Simulation Plan

Environment	Tool Type	Module
Mordor shire	C2	shell

Adversary View

(Empire: stager/multi/launcher) > 
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6
[*] New agent GM4LN8V9 checked in
[+] Initial agent GM4LN8V9 from 172.18.39.6 now active (Slack)
[*] Sending agent (stage 2) to GM4LN8V9 at 172.18.39.6
agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
A7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            
HBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            
UF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         6404   5/0.0    2020-09-20 21:28:07  http            

GM4LN8V9 ps 172.18.39.6     WORKSTATION6      THESHIRE\sbeavers       powershell         5724   5/0.0    2020-09-21 08:05:25  http            

(Empire: agents) > interact GM4LN8V9
(Empire: GM4LN8V9) > shell net group "Domain Admins" /domain
[*] Tasked GM4LN8V9 to run TASK_SHELL
[*] Agent GM4LN8V9 tasked with task ID 1
(Empire: GM4LN8V9) > 
The request will be processed at a domain controller for domain theshire.local.

Group name     Domain Admins
Comment        Designated administrators of the domain

Members

-------------------------------------------------------------------------------
mscott                   pgustavo                 wardog                   
The command completed successfully.

..Command execution completed.

(Empire: GM4LN8V9) >

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/discovery/host/empire_shell_rpc_samr_smb_group_domain_admins_standard_user.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |642  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |355  |
|WORKSTATION6               |Windows PowerShell                      |800    |144  |
|WORKSTATION6.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |123  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |44   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |36   |
|MORDORDC.theshire.local    |Security                                |5158   |35   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |35   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |31   |
|WORKSTATION5.theshire.local|Security                                |5158   |30   |
|MORDORDC.theshire.local    |Security                                |5156   |29   |
|MORDORDC.theshire.local    |System                                  |16968  |21   |
|MORDORDC.theshire.local    |Security                                |4658   |20   |
|WORKSTATION6.theshire.local|security                                |5158   |19   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |18   |
|WORKSTATION5.theshire.local|Security                                |5156   |13   |
|WORKSTATION6.theshire.local|security                                |5156   |12   |
|WORKSTATION5.theshire.local|Security                                |4658   |12   |
|MORDORDC.theshire.local    |Security                                |4634   |10   |
|MORDORDC.theshire.local    |Security                                |4627   |9    |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows

Internet Explorer Version Discovery Empire Remote Get Session