PurpleSharp Active Directory Playbook I

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g,Mauricio Velazco @mvelazco

Creation Date

2020/10/22

Modification Date

2020/10/22

Tactics

TA0006,TA0007,TA0008

Techniques

T1110.003,T1558.003,T1135,T1021.006

Tags

None

Dataset Description

This dataset represents threat actors performing a few techniques in Active Directory to brute force passwords, request Kerberos ticket-granting service (TGS) service tickets from all SPNs, test access to remote network shares, and move laterally over Windows Remote Management (WinRM).

Simulation Metadata

Tools

type

Name

Module

Manual

Cmd

Cmd

Adversary View

c:\Users\pgustavo\Downloads>PurpleSharp.exe /t T1110.003,T1558.003,T1135,T1021.006
10/22/2020 04:29:52 [*]  Starting T1110.003 Simulation on WORKSTATION5
10/22/2020 04:29:52 [*]  Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:52 [*]  Local Domain Brute Force using the LogonUser Win32 API function
[*] Targeting domain neighbor users
[*] Using LogonServer MORDORDC.theshire.local for LDAP queries
[*] Querying for active domain users with badPwdCount <= 3..
10/22/2020 04:29:53 [*]  Obtained 7 user accounts
10/22/2020 04:29:53 [*]  Tried to authenticate as lrodriguez (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as pgustavo (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as sysmonsvc (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as sbeavers (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as mscott (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as pbeesly (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as nxlogsvc (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Simulation Finished
10/22/2020 04:29:53 [*]  Starting T1558.003 Simulation on WORKSTATION5
10/22/2020 04:29:53 [*]  Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Sysmon/theshire.local (sysmonsvc)
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Nxlog/theshire.local (nxlogsvc)
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Defense/theshire.local (defensesvc)
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN OTR/theshire.local (otrsvc)
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Ring/theshire.local (mordorsvc)
10/22/2020 04:29:54 [*]  Simulation Finished
10/22/2020 04:29:54 [*]  Starting T1135 Simulation on WORKSTATION5
10/22/2020 04:29:54 [*]  Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Using the Win32 API NetShareEnum function to execute this technique
[*] Obtaining domain neighbor targets ...
[*] Using MORDORDC.theshire.local for LDAP queries
10/22/2020 04:29:54 [*]  Obtained 4 target computers
10/22/2020 04:29:54 [*]  Successfully enumerated shares on WEC.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Successfully enumerated shares on WORKSTATION6.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Successfully enumerated shares on MORDORDC.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Successfully enumerated shares on WORKSTATION7.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Simulation Finished
10/22/2020 04:29:54 [*]  Starting T1021.006 Simulation on WORKSTATION5
10/22/2020 04:29:54 [*]  Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Using the System.Management.Automation .NET namespace to execute this technique
10/22/2020 04:29:54 [*]  Querying LDAP for random targets...
[*] Obtaining domain neighbor targets ...
[*] Using MORDORDC.theshire.local for LDAP queries
10/22/2020 04:29:54 [*]  Obtained 4 target computers
10/22/2020 04:29:59 [*]  Started a process using WinRM on WORKSTATION7
10/22/2020 04:30:00 [*]  Started a process using WinRM on WEC
10/22/2020 04:30:00 [*]  Started a process using WinRM on WORKSTATION6
10/22/2020 04:30:01 [*]  Started a process using WinRM on MORDORDC
10/22/2020 04:30:01 [*]  Simulation Finished
10/22/2020 04:30:01 [*]  Playbook Finished

c:\Users\pgustavo\Downloads>

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/purplesharp_ad_playbook_I.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)