RDP TaskManager LSASS Dump

Contents

RDP TaskManager LSASS Dump¶

Metadata¶


Contributors	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2019/10/27
Modification Date	2020/09/21
Tactics	TA0006
Techniques	T1003.001
Tags	RDP Interactive

Dataset Description¶

This dataset represents adversaries using RDP and task manager interactively and dump the memory space of lsass.

Datasets Downloads¶

Type	Link
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/rdp_interactive_taskmanager_lsass_dump.zip

Simulation Metadata¶

Tools¶

type	Name	Module
Interactive Session	RDP	None

Adversary View¶

RDP to victim
Open Windows Task Manager as Administrator
Select lsass.exe
Right-click on lsass.exe and select “Create dump file”

Explore Datasets¶

Download & Decompress Dataset¶

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/rdp_interactive_taskmanager_lsass_dump.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File¶

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events¶

df.groupby(['Channel']).size().sort_values(ascending=False)

References¶

https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

previous

Empire Reg Dump SAM Hive

next

Covenant DCSync