Empire Remote Get Session

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/19

Modification Date

2019/09/20

Tactics

TA0007

Techniques

T1049

Tags

RPC NetSessEnum,SMB Srvsvc

Dataset Description

This dataset represents adversaries leveraging RPC SRVSVC and the method NetSessEnum over SMB to query remote hosts for active sessions

Simulation Metadata

Tools

type

Name

Module

C2

Empire

get_session

Adversary View

(Empire: WE8XYD3K) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
WE8XYD3K ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5972   5/0.0    2020-09-22 07:44:38  http            

(Empire: agents) > interact WE8XYD3K
(Empire: WE8XYD3K) > usemodule situational_awareness/network/powerview/get_session
(Empire: powershell/situational_awareness/network/powerview/get_session) > info

              Name: Get-NetSession
            Module: powershell/situational_awareness/network/powerview/get_session
        NeedsAdmin: False
        OpsecSafe: True
          Language: powershell
MinLanguageVersion: 2
        Background: True
  OutputExtension: None

Authors:
  @harmj0y

Description:
  Execute the NetSessionEnum Win32API call to query a given
  host for active sessions on the host. Part of PowerView.

Comments:
  https://github.com/PowerShellMafia/PowerSploit/blob/dev/Reco
  n/

Options:

  Name         Required    Value                     Description
  ----         --------    -------                   -----------
  Agent        True        WE8XYD3K                  Agent to run module on.                 
  ComputerName False       localhost                 The hostname or IP to query for local   
                                                    group users.                            

(Empire: powershell/situational_awareness/network/powerview/get_session) > set ComputerName MORDORDC
(Empire: powershell/situational_awareness/network/powerview/get_session) > execute
[*] Tasked WE8XYD3K to run TASK_CMD_JOB
[*] Agent WE8XYD3K tasked with task ID 2
[*] Tasked agent WE8XYD3K to run module powershell/situational_awareness/network/powerview/get_session
(Empire: powershell/situational_awareness/network/powerview/get_session) > 
Job started: DV248X

CName         UserName Time IdleTime ComputerName
-----         -------- ---- -------- ------------
\\172.18.39.5 pgustavo    0        0 MORDORDC    

Get-NetSession completed!

(Empire: powershell/situational_awareness/network/powerview/get_session) > 

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/empire_getsession_dcerpc_smb_srvsvc_NetSessEnum.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)