Empire Enable RDP
Contents
Empire Enable RDP#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/05/18 |
Modification Date |
2020/09/20 |
Tactics |
|
Techniques |
|
Tags |
Registry Modification,Windows Registry RDP Settings |
Dataset Description#
This dataset represents adversaries enabling RDP and adding a firewall exception to a compromised system
Datasets Downloads#
Type |
Link |
|---|---|
Host |
Adversary View#
(Empire: TKV35P8X) > usemodule management/enable_rdp*
(Empire: powershell/management/enable_rdp) > info
Name: Enable-RDP
Module: powershell/management/enable_rdp
NeedsAdmin: True
OpsecSafe: False
Language: powershell
MinLanguageVersion: 2
Background: False
OutputExtension: None
Authors:
@harmj0y
Description:
Enables RDP on the remote machine and adds a firewall
exception.
Options:
Name Required Value Description
---- -------- ------- -----------
Agent True TKV35P8X Agent to run module on.
(Empire: powershell/management/enable_rdp) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked TKV35P8X to run TASK_CMD_WAIT
[*] Agent TKV35P8X tasked with task ID 21
[*] Tasked agent TKV35P8X to run module powershell/management/enable_rdp
(Empire: powershell/management/enable_rdp) > The operation completed successfully.
(Empire: powershell/management/enable_rdp) >
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/empire_enable_rdp.tar.gz
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)