.ipynb .pdf

repository open issue suggest edit

Binder Colab Live Code

Contents

PurpleSharp Active Directory Playbook I

Metadata

Author	Roberto Rodriguez @Cyb3rWard0g, Mauricio Velazco @mvelazco
Creation Date	2020/10/22
Modification Date	2020/10/22
Tactics	[‘TA0006’, ‘TA0006’, ‘TA0007’, ‘TA0008’]
Techniques	[‘T1110.003’, ‘T1558.003’, ‘T1135’, ‘T1021.006’]
Tags	None

Dataset Description

This dataset represents threat actors performing a few techniques in Active Directory to brute force passwords, request Kerberos ticket-granting service (TGS) service tickets from all SPNs, test access to remote network shares, and move laterally over Windows Remote Management (WinRM).

Datasets Downloads

Dataset Type	Link
Host	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/purplesharp_ad_playbook_I.zip
Network	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/network/purplesharp_ad_playbook_I.zip

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author	Name	Link

Simulation Plan

Environment	Tool Type	Module
Shire	Manual	Cmd

Adversary View

c:\Users\pgustavo\Downloads>PurpleSharp.exe /t T1110.003,T1558.003,T1135,T1021.006
10/22/2020 04:29:52 [*]  Starting T1110.003 Simulation on WORKSTATION5
10/22/2020 04:29:52 [*]  Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:52 [*]  Local Domain Brute Force using the LogonUser Win32 API function
[*] Targeting domain neighbor users
[*] Using LogonServer MORDORDC.theshire.local for LDAP queries
[*] Querying for active domain users with badPwdCount <= 3..
10/22/2020 04:29:53 [*]  Obtained 7 user accounts
10/22/2020 04:29:53 [*]  Tried to authenticate as lrodriguez (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as pgustavo (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as sysmonsvc (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as sbeavers (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as mscott (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as pbeesly (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as nxlogsvc (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Simulation Finished
10/22/2020 04:29:53 [*]  Starting T1558.003 Simulation on WORKSTATION5
10/22/2020 04:29:53 [*]  Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Sysmon/theshire.local (sysmonsvc)
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Nxlog/theshire.local (nxlogsvc)
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Defense/theshire.local (defensesvc)
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN OTR/theshire.local (otrsvc)
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Ring/theshire.local (mordorsvc)
10/22/2020 04:29:54 [*]  Simulation Finished
10/22/2020 04:29:54 [*]  Starting T1135 Simulation on WORKSTATION5
10/22/2020 04:29:54 [*]  Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Using the Win32 API NetShareEnum function to execute this technique
[*] Obtaining domain neighbor targets ...
[*] Using MORDORDC.theshire.local for LDAP queries
10/22/2020 04:29:54 [*]  Obtained 4 target computers
10/22/2020 04:29:54 [*]  Successfully enumerated shares on WEC.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Successfully enumerated shares on WORKSTATION6.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Successfully enumerated shares on MORDORDC.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Successfully enumerated shares on WORKSTATION7.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Simulation Finished
10/22/2020 04:29:54 [*]  Starting T1021.006 Simulation on WORKSTATION5
10/22/2020 04:29:54 [*]  Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Using the System.Management.Automation .NET namespace to execute this technique
10/22/2020 04:29:54 [*]  Querying LDAP for random targets...
[*] Obtaining domain neighbor targets ...
[*] Using MORDORDC.theshire.local for LDAP queries
10/22/2020 04:29:54 [*]  Obtained 4 target computers
10/22/2020 04:29:59 [*]  Started a process using WinRM on WORKSTATION7
10/22/2020 04:30:00 [*]  Started a process using WinRM on WEC
10/22/2020 04:30:00 [*]  Started a process using WinRM on WORKSTATION6
10/22/2020 04:30:01 [*]  Started a process using WinRM on MORDORDC
10/22/2020 04:30:01 [*]  Simulation Finished
10/22/2020 04:30:01 [*]  Playbook Finished

c:\Users\pgustavo\Downloads>

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/purplesharp_ad_playbook_I.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |12     |15747|
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |1027 |
|WORKSTATION7.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |1025 |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |13     |649  |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |7      |532  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |422  |
|WORKSTATION7.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |414  |
|MORDORDC.theshire.local    |Security                                |4658   |409  |
|MORDORDC.theshire.local    |Microsoft-Windows-PowerShell/Operational|4103   |277  |
|MORDORDC.theshire.local    |Windows PowerShell                      |800    |277  |
|WORKSTATION7.theshire.local|Microsoft-Windows-Sysmon/Operational    |11     |212  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |212  |
|MORDORDC.theshire.local    |Security                                |4656   |212  |
|WORKSTATION7.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |212  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |11     |210  |
|MORDORDC.theshire.local    |Security                                |4690   |204  |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |11     |203  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |169  |
|WORKSTATION6.theshire.local|Security                                |4658   |159  |
|WORKSTATION7.theshire.local|Security                                |4658   |159  |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows

Remote Scheduled Task Modification Covenant SharpSC Start