Contents

Covenant GetDomainGroup Domain Admins

Contents

Covenant GetDomainGroup Domain Admins#

Metadata#


Contributors	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2020/08/06
Modification Date	2020/08/06
Tactics	TA0007
Techniques	T1069.002
Tags	Domain Groups Enumeration,LDAP SearchRequest

Dataset Description#

This dataset represents a threat actor enumerating the domain groups via LDAP (i.e. SearchRequest Method) in an environment.

Datasets Downloads#

Type	Link
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/covenant_getdomaingroup_ldap_searchrequest_domain_admins.zip
Network	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/network/covenant_getdomaingroup_ldap_searchrequest_domain_admins.zip

Simulation Metadata#

Tools#

type	Name	Module
C2	Covenant	GetDomainGroup

Adversary View#

[09/22/2020 18:10:15 UTC] GetDomainGroup completed
(wardog) > GetDomainGroup /identities:"Domain Admins"
samaccountname: Domain Admins
samaccounttype: GROUP_OBJECT
distinguishedname: CN=Domain Admins,CN=Users,DC=theshire,DC=local
cn: Domain Admins
objectsid: S-1-5-21-4228717743-1032521047-1810997296-512
grouptype: 0
admincount: 1
name: Domain Admins
description: Designated administrators of the domain
memberof: CN=Denied RODC Password Replication Group,CN=Users,DC=theshire,DC=local, CN=Administrators,CN=Builtin,DC=theshire,DC=local
useraccountcontrol: 0
badpasswordtime: 1/1/0001 12:00:00 AM
pwdlastset: 1/1/0001 12:00:00 AM
whencreated: 9/17/2020 3:14:46 PM
whenchanged: 9/17/2020 3:29:58 PM
accountexpires: 1/1/0001 12:00:00 AM
lastlogon: 1/1/0001 12:00:00 AM
lastlogoff: 1/1/0001 12:00:00 AM
objectcategory: CN=Group,CN=Schema,CN=Configuration,DC=theshire,DC=local
usnchanged: 12909
instancetype: 4
objectclass: top, group
iscriticalsystemobject: True
usncreated: 12345
dscorepropagationdata: 9/17/2020 3:29:58 PM, 9/17/2020 3:14:47 PM, 1/1/1601 12:04:16 AM
adspath: LDAP://CN=Domain Admins,CN=Users,DC=theshire,DC=local
objectguid: bba6ff30-abfc-4166-b209-5e6edd49366b
lastlogontimestamp: 1/1/0001 12:00:00 AM

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/covenant_getdomaingroup_ldap_searchrequest_domain_admins.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.groupby(['Channel']).size().sort_values(ascending=False)

References#

https://blog.f-secure.com/endpoint-detection-of-remote-service-creation-and-psexec/