Empire Shell Net Domain Admins¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/05/18 |
Modification Date |
2020/09/20 |
Tactics |
[‘TA0007’] |
Techniques |
[‘T1069.002’] |
Tags |
[‘Domain Groups Enumeration’, ‘RPC SAMR SamrQueryInformationGroup’] |
Dataset Description¶
This dataset represents adversaries enumerating members of domain groups (i.e. Domain Admins) via RPC SAMR interface over SMB. Some of the main RPC methods captured over the network are SamrLookupNamesInDomain (Opnum 17) and SamrQueryInformationGroup (Opnum 20) where there are indicators about the specific group name enumerated.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
|
network |
Simulation Plan¶
Environment |
Tool Type |
Module |
---|---|---|
Mordor shire |
C2 |
shell |
Adversary View¶
(Empire: stager/multi/launcher) >
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6
[*] New agent GM4LN8V9 checked in
[+] Initial agent GM4LN8V9 from 172.18.39.6 now active (Slack)
[*] Sending agent (stage 2) to GM4LN8V9 at 172.18.39.6
agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
A7BWPR32 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5904 5/0.0 2020-09-18 18:29:36 http
HBEW9G1D ps 172.18.39.6 WORKSTATION6 THESHIRE\sbeavers powershell 6036 5/0.0 2020-09-18 18:15:39 http
UF5MYK42 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 6404 5/0.0 2020-09-20 21:28:07 http
GM4LN8V9 ps 172.18.39.6 WORKSTATION6 THESHIRE\sbeavers powershell 5724 5/0.0 2020-09-21 08:05:25 http
(Empire: agents) > interact GM4LN8V9
(Empire: GM4LN8V9) > shell net group "Domain Admins" /domain
[*] Tasked GM4LN8V9 to run TASK_SHELL
[*] Agent GM4LN8V9 tasked with task ID 1
(Empire: GM4LN8V9) >
The request will be processed at a domain controller for domain theshire.local.
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
mscott pgustavo wardog
The command completed successfully.
..Command execution completed.
(Empire: GM4LN8V9) >
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/discovery/host/empire_shell_rpc_samr_smb_group_domain_admins_standard_user.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |642 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |355 |
|WORKSTATION6 |Windows PowerShell |800 |144 |
|WORKSTATION6.theshire.local|Microsoft-Windows-PowerShell/Operational|4103 |123 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |44 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |36 |
|MORDORDC.theshire.local |Security |5158 |35 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |35 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |31 |
|WORKSTATION5.theshire.local|Security |5158 |30 |
|MORDORDC.theshire.local |Security |5156 |29 |
|MORDORDC.theshire.local |System |16968 |21 |
|MORDORDC.theshire.local |Security |4658 |20 |
|WORKSTATION6.theshire.local|security |5158 |19 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |18 |
|WORKSTATION5.theshire.local|Security |5156 |13 |
|WORKSTATION6.theshire.local|security |5156 |12 |
|WORKSTATION5.theshire.local|Security |4658 |12 |
|MORDORDC.theshire.local |Security |4634 |10 |
|MORDORDC.theshire.local |Security |4627 |9 |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows