Empire Find Local Admin Access

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/18

Modification Date

2019/05/18

Tactics

[‘TA0007’]

Techniques

[‘T1069.001’]

Tags

[‘RPC OpenSCManager’, ‘SMB Svcctl’]

Dataset Description

This dataset represents adversaries using the OpenSCManagerW Win32API call to establish a handle to the remote host and verify if the current user context has local administrator acess to the target.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

find_localadmin_access

Adversary View

(Empire: GCSKD17Z) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
GCSKD17Z ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         1112   5/0.0    2020-09-22 06:15:19  http            

(Empire: agents) > interact GCSKD17Z
(Empire: GCSKD17Z) > usemodule situational_awareness/network/powerview/find_localadmin_access
(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > execute
[*] Tasked GCSKD17Z to run TASK_CMD_JOB
[*] Agent GCSKD17Z tasked with task ID 8
[*] Tasked agent GCSKD17Z to run module powershell/situational_awareness/network/powerview/find_localadmin_access
(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > 
Job started: GL5DUX

(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > back
(Empire: GCSKD17Z) > 
WORKSTATION5.theshire.local
WORKSTATION6.theshire.local
MORDORDC.theshire.local
WEC.theshire.local

Find-LocalAdminAccess completed!

(Empire: GCSKD17Z) >

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/discovery/host/empire_find_localadmin_smb_svcctl_OpenSCManager.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |1155 |
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |770  |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |730  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |504  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |414  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |377  |
|MORDORDC.theshire.local    |Security                                |5156   |52   |
|WORKSTATION5.theshire.local|security                                |5158   |51   |
|WORKSTATION5.theshire.local|security                                |4658   |46   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |44   |
|WORKSTATION5.theshire.local|security                                |5156   |41   |
|WORKSTATION5.theshire.local|Windows PowerShell                      |600    |40   |
|MORDORDC.theshire.local    |Security                                |5158   |33   |
|WORKSTATION5.theshire.local|security                                |4703   |24   |
|WORKSTATION5.theshire.local|security                                |4656   |23   |
|WORKSTATION5.theshire.local|security                                |4663   |23   |
|WORKSTATION5.theshire.local|security                                |4690   |23   |
|WORKSTATION6.theshire.local|security                                |5156   |19   |
|WORKSTATION6.theshire.local|security                                |5158   |19   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |19   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows