Empire Find Local Admin Access

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/18

Modification Date

2019/05/18

Tactics

TA0007

Techniques

T1069.001

Tags

RPC OpenSCManager,SMB Svcctl

Dataset Description

This dataset represents adversaries using the OpenSCManagerW Win32API call to establish a handle to the remote host and verify if the current user context has local administrator acess to the target.

Simulation Metadata

Tools

type

Name

Module

C2

Empire

find_localadmin_access

Adversary View

(Empire: GCSKD17Z) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
GCSKD17Z ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         1112   5/0.0    2020-09-22 06:15:19  http            

(Empire: agents) > interact GCSKD17Z
(Empire: GCSKD17Z) > usemodule situational_awareness/network/powerview/find_localadmin_access
(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > execute
[*] Tasked GCSKD17Z to run TASK_CMD_JOB
[*] Agent GCSKD17Z tasked with task ID 8
[*] Tasked agent GCSKD17Z to run module powershell/situational_awareness/network/powerview/find_localadmin_access
(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > 
Job started: GL5DUX

(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > back
(Empire: GCSKD17Z) > 
WORKSTATION5.theshire.local
WORKSTATION6.theshire.local
MORDORDC.theshire.local
WEC.theshire.local

Find-LocalAdminAccess completed!

(Empire: GCSKD17Z) >

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/empire_find_localadmin_smb_svcctl_OpenSCManager.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)