Empire Net Local Administrators Group

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/03/19

Modification Date

2020/09/20

Tactics

TA0007

Techniques

T1069.001

Tags

Local Administrators Group Enumeration

Dataset Description

This dataset represents adversaries enumerating members of the local Administratrors group via the net.exe utility

Simulation Metadata

Tools

type

Name

Module

C2

Empire

[shell](net localgroup Administrators)

Adversary View

(Empire: 1EHYPBVC) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
4SUZ8X62 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         4092   5/0.0    2020-09-21 21:59:29  http            
1EHYPBVC ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         7456   5/0.0    2020-09-21 23:18:05  http            

(Empire: agents) > interact 1EHYPBVC
(Empire: 1EHYPBVC) > shell net localgroup Administrators
[*] Tasked 1EHYPBVC to run TASK_SHELL
[*] Agent 1EHYPBVC tasked with task ID 2
(Empire: 1EHYPBVC) > 
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
THESHIRE\Domain Admins
wardog
The command completed successfully.


..Command execution completed.

(Empire: 1EHYPBVC) >

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/empire_shell_net_localgroup_administrators.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)