Contents

Empire Find Local Admin Access

Contents

Empire Find Local Admin Access#

Metadata#


Contributors	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2019/05/18
Modification Date	2019/05/18
Tactics	TA0007
Techniques	T1069.001
Tags	RPC OpenSCManager,SMB Svcctl

Dataset Description#

This dataset represents adversaries using the OpenSCManagerW Win32API call to establish a handle to the remote host and verify if the current user context has local administrator acess to the target.

Datasets Downloads#

Type	Link
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/empire_find_localadmin_smb_svcctl_OpenSCManager.zip

Simulation Metadata#

Tools#

type	Name	Module
C2	Empire	find_localadmin_access

Adversary View#

(Empire: GCSKD17Z) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
GCSKD17Z ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         1112   5/0.0    2020-09-22 06:15:19  http            

(Empire: agents) > interact GCSKD17Z
(Empire: GCSKD17Z) > usemodule situational_awareness/network/powerview/find_localadmin_access
(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > execute
[*] Tasked GCSKD17Z to run TASK_CMD_JOB
[*] Agent GCSKD17Z tasked with task ID 8
[*] Tasked agent GCSKD17Z to run module powershell/situational_awareness/network/powerview/find_localadmin_access
(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > 
Job started: GL5DUX

(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > back
(Empire: GCSKD17Z) > 
WORKSTATION5.theshire.local
WORKSTATION6.theshire.local
MORDORDC.theshire.local
WEC.theshire.local

Find-LocalAdminAccess completed!

(Empire: GCSKD17Z) >

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/empire_find_localadmin_smb_svcctl_OpenSCManager.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.groupby(['Channel']).size().sort_values(ascending=False)

References#

https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process