RDP TaskManager LSASS Dump

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/10/27

Modification Date

2020/09/21

Tactics

TA0006

Techniques

T1003.001

Tags

RDP Interactive

Dataset Description

This dataset represents adversaries using RDP and task manager interactively and dump the memory space of lsass.

Simulation Metadata

Tools

type

Name

Module

Interactive Session

RDP

None

Adversary View

RDP to victim
Open Windows Task Manager as Administrator
Select lsass.exe
Right-click on lsass.exe and select “Create dump file”

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/rdp_interactive_taskmanager_lsass_dump.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)