PurpleSharp Active Directory Playbook I

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g, Mauricio Velazco @mvelazco

Creation Date

2020/10/22

Modification Date

2020/10/22

Tactics

[‘TA0006’, ‘TA0006’, ‘TA0007’, ‘TA0008’]

Techniques

[‘T1110.003’, ‘T1558.003’, ‘T1135’, ‘T1021.006’]

Tags

None

Dataset Description

This dataset represents threat actors performing a few techniques in Active Directory to brute force passwords, request Kerberos ticket-granting service (TGS) service tickets from all SPNs, test access to remote network shares, and move laterally over Windows Remote Management (WinRM).

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Shire

Manual

Cmd

Adversary View

c:\Users\pgustavo\Downloads>PurpleSharp.exe /t T1110.003,T1558.003,T1135,T1021.006
10/22/2020 04:29:52 [*]  Starting T1110.003 Simulation on WORKSTATION5
10/22/2020 04:29:52 [*]  Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:52 [*]  Local Domain Brute Force using the LogonUser Win32 API function
[*] Targeting domain neighbor users
[*] Using LogonServer MORDORDC.theshire.local for LDAP queries
[*] Querying for active domain users with badPwdCount <= 3..
10/22/2020 04:29:53 [*]  Obtained 7 user accounts
10/22/2020 04:29:53 [*]  Tried to authenticate as lrodriguez (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as pgustavo (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as sysmonsvc (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as sbeavers (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as mscott (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as pbeesly (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as nxlogsvc (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Simulation Finished
10/22/2020 04:29:53 [*]  Starting T1558.003 Simulation on WORKSTATION5
10/22/2020 04:29:53 [*]  Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Sysmon/theshire.local (sysmonsvc)
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Nxlog/theshire.local (nxlogsvc)
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Defense/theshire.local (defensesvc)
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN OTR/theshire.local (otrsvc)
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Ring/theshire.local (mordorsvc)
10/22/2020 04:29:54 [*]  Simulation Finished
10/22/2020 04:29:54 [*]  Starting T1135 Simulation on WORKSTATION5
10/22/2020 04:29:54 [*]  Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Using the Win32 API NetShareEnum function to execute this technique
[*] Obtaining domain neighbor targets ...
[*] Using MORDORDC.theshire.local for LDAP queries
10/22/2020 04:29:54 [*]  Obtained 4 target computers
10/22/2020 04:29:54 [*]  Successfully enumerated shares on WEC.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Successfully enumerated shares on WORKSTATION6.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Successfully enumerated shares on MORDORDC.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Successfully enumerated shares on WORKSTATION7.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Simulation Finished
10/22/2020 04:29:54 [*]  Starting T1021.006 Simulation on WORKSTATION5
10/22/2020 04:29:54 [*]  Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Using the System.Management.Automation .NET namespace to execute this technique
10/22/2020 04:29:54 [*]  Querying LDAP for random targets...
[*] Obtaining domain neighbor targets ...
[*] Using MORDORDC.theshire.local for LDAP queries
10/22/2020 04:29:54 [*]  Obtained 4 target computers
10/22/2020 04:29:59 [*]  Started a process using WinRM on WORKSTATION7
10/22/2020 04:30:00 [*]  Started a process using WinRM on WEC
10/22/2020 04:30:00 [*]  Started a process using WinRM on WORKSTATION6
10/22/2020 04:30:01 [*]  Started a process using WinRM on MORDORDC
10/22/2020 04:30:01 [*]  Simulation Finished
10/22/2020 04:30:01 [*]  Playbook Finished

c:\Users\pgustavo\Downloads>

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/purplesharp_ad_playbook_I.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |12     |15747|
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |1027 |
|WORKSTATION7.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |1025 |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |13     |649  |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |7      |532  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |422  |
|WORKSTATION7.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |414  |
|MORDORDC.theshire.local    |Security                                |4658   |409  |
|MORDORDC.theshire.local    |Microsoft-Windows-PowerShell/Operational|4103   |277  |
|MORDORDC.theshire.local    |Windows PowerShell                      |800    |277  |
|WORKSTATION7.theshire.local|Microsoft-Windows-Sysmon/Operational    |11     |212  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |212  |
|MORDORDC.theshire.local    |Security                                |4656   |212  |
|WORKSTATION7.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |212  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |11     |210  |
|MORDORDC.theshire.local    |Security                                |4690   |204  |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |11     |203  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |169  |
|WORKSTATION6.theshire.local|Security                                |4658   |159  |
|WORKSTATION7.theshire.local|Security                                |4658   |159  |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows