Empire Remote Get Session¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/05/19 |
Modification Date |
2019/09/20 |
Tactics |
[‘TA0007’] |
Techniques |
[‘T1049’] |
Tags |
[‘RPC NetSessEnum’, ‘SMB Srvsvc’] |
Dataset Description¶
This dataset represents adversaries leveraging RPC SRVSVC and the method NetSessEnum over SMB to query remote hosts for active sessions
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
|
Network |
Simulation Plan¶
Environment |
Tool Type |
Module |
---|---|---|
Mordor shire |
C2 |
Adversary View¶
(Empire: WE8XYD3K) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
WE8XYD3K ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5972 5/0.0 2020-09-22 07:44:38 http
(Empire: agents) > interact WE8XYD3K
(Empire: WE8XYD3K) > usemodule situational_awareness/network/powerview/get_session
(Empire: powershell/situational_awareness/network/powerview/get_session) > info
Name: Get-NetSession
Module: powershell/situational_awareness/network/powerview/get_session
NeedsAdmin: False
OpsecSafe: True
Language: powershell
MinLanguageVersion: 2
Background: True
OutputExtension: None
Authors:
@harmj0y
Description:
Execute the NetSessionEnum Win32API call to query a given
host for active sessions on the host. Part of PowerView.
Comments:
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Reco
n/
Options:
Name Required Value Description
---- -------- ------- -----------
Agent True WE8XYD3K Agent to run module on.
ComputerName False localhost The hostname or IP to query for local
group users.
(Empire: powershell/situational_awareness/network/powerview/get_session) > set ComputerName MORDORDC
(Empire: powershell/situational_awareness/network/powerview/get_session) > execute
[*] Tasked WE8XYD3K to run TASK_CMD_JOB
[*] Agent WE8XYD3K tasked with task ID 2
[*] Tasked agent WE8XYD3K to run module powershell/situational_awareness/network/powerview/get_session
(Empire: powershell/situational_awareness/network/powerview/get_session) >
Job started: DV248X
CName UserName Time IdleTime ComputerName
----- -------- ---- -------- ------------
\\172.18.39.5 pgustavo 0 0 MORDORDC
Get-NetSession completed!
(Empire: powershell/situational_awareness/network/powerview/get_session) >
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/discovery/host/empire_getsession_dcerpc_smb_srvsvc_NetSessEnum.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|MORDORDC.theshire.local |Security |4658 |1049 |
|MORDORDC.theshire.local |Security |4656 |525 |
|MORDORDC.theshire.local |Security |4690 |525 |
|MORDORDC.theshire.local |Security |4663 |508 |
|WORKSTATION5.theshire.local|Windows PowerShell |800 |287 |
|MORDORDC.theshire.local |Windows PowerShell |800 |273 |
|MORDORDC.theshire.local |Microsoft-Windows-PowerShell/Operational|4103 |273 |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103 |265 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |202 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |183 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |176 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |159 |
|MORDORDC.theshire.local |Security |4703 |96 |
|MORDORDC.theshire.local |Security |5156 |55 |
|WORKSTATION5.theshire.local|security |5158 |49 |
|MORDORDC.theshire.local |Microsoft-Windows-PowerShell/Operational|4104 |35 |
|MORDORDC.theshire.local |Security |4627 |30 |
|MORDORDC.theshire.local |Security |4624 |30 |
|WORKSTATION5.theshire.local|security |5156 |29 |
|MORDORDC.theshire.local |Security |4672 |29 |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows