Covenant GetDomainGroup Domain Admins

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/08/06

Modification Date

2020/08/06

Tactics

[‘TA0007’]

Techniques

[‘T1069.002’]

Tags

[‘Domain Groups Enumeration’, ‘LDAP SearchRequest’]

Dataset Description

This dataset represents a threat actor enumerating the domain groups via LDAP (i.e. SearchRequest Method) in an environment.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

GetDomainGroup

Adversary View

[09/22/2020 18:10:15 UTC] GetDomainGroup completed
(wardog) > GetDomainGroup /identities:"Domain Admins"
samaccountname: Domain Admins
samaccounttype: GROUP_OBJECT
distinguishedname: CN=Domain Admins,CN=Users,DC=theshire,DC=local
cn: Domain Admins
objectsid: S-1-5-21-4228717743-1032521047-1810997296-512
grouptype: 0
admincount: 1
name: Domain Admins
description: Designated administrators of the domain
memberof: CN=Denied RODC Password Replication Group,CN=Users,DC=theshire,DC=local, CN=Administrators,CN=Builtin,DC=theshire,DC=local
useraccountcontrol: 0
badpasswordtime: 1/1/0001 12:00:00 AM
pwdlastset: 1/1/0001 12:00:00 AM
whencreated: 9/17/2020 3:14:46 PM
whenchanged: 9/17/2020 3:29:58 PM
accountexpires: 1/1/0001 12:00:00 AM
lastlogon: 1/1/0001 12:00:00 AM
lastlogoff: 1/1/0001 12:00:00 AM
objectcategory: CN=Group,CN=Schema,CN=Configuration,DC=theshire,DC=local
usnchanged: 12909
instancetype: 4
objectclass: top, group
iscriticalsystemobject: True
usncreated: 12345
dscorepropagationdata: 9/17/2020 3:29:58 PM, 9/17/2020 3:14:47 PM, 1/1/1601 12:04:16 AM
adspath: LDAP://CN=Domain Admins,CN=Users,DC=theshire,DC=local
objectguid: bba6ff30-abfc-4166-b209-5e6edd49366b
lastlogontimestamp: 1/1/0001 12:00:00 AM

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/discovery/host/covenant_getdomaingroup_ldap_searchrequest_domain_admins.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname                   |Channel                             |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |253  |
|MORDORDC.theshire.local    |Security                            |4658   |64   |
|MORDORDC.theshire.local    |Security                            |4663   |32   |
|MORDORDC.theshire.local    |Security                            |4690   |32   |
|MORDORDC.theshire.local    |Security                            |4656   |32   |
|WORKSTATION5.theshire.local|security                            |5158   |27   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |25   |
|MORDORDC.theshire.local    |Security                            |5156   |22   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |18   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |17   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |16   |
|WORKSTATION5.theshire.local|security                            |5156   |13   |
|MORDORDC.theshire.local    |Security                            |5158   |12   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |12   |
|WORKSTATION6.theshire.local|security                            |5158   |8    |
|WORKSTATION6.theshire.local|security                            |5156   |7    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|3      |4    |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |3    |
|MORDORDC.theshire.local    |Security                            |4672   |3    |
|MORDORDC.theshire.local    |Security                            |4627   |3    |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows