Empire Enable RDP

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/18

Modification Date

2020/09/20

Tactics

TA0005

Techniques

T1112

Tags

Registry Modification,Windows Registry RDP Settings

Dataset Description

This dataset represents adversaries enabling RDP and adding a firewall exception to a compromised system

Simulation Metadata

Tools

type

Name

Module

C2

Empire

management

Adversary View

(Empire: TKV35P8X) > usemodule management/enable_rdp*           
(Empire: powershell/management/enable_rdp) > info

              Name: Enable-RDP
            Module: powershell/management/enable_rdp
        NeedsAdmin: True
        OpsecSafe: False
          Language: powershell
MinLanguageVersion: 2
        Background: False
  OutputExtension: None

Authors:
  @harmj0y

Description:
  Enables RDP on the remote machine and adds a firewall
  exception.

Options:

  Name  Required    Value                     Description
  ----  --------    -------                   -----------
  Agent True        TKV35P8X                  Agent to run module on.                 

(Empire: powershell/management/enable_rdp) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked TKV35P8X to run TASK_CMD_WAIT
[*] Agent TKV35P8X tasked with task ID 21
[*] Tasked agent TKV35P8X to run module powershell/management/enable_rdp
(Empire: powershell/management/enable_rdp) > The operation completed successfully.
(Empire: powershell/management/enable_rdp) >

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/empire_enable_rdp.tar.gz
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)