PurpleSharp Active Directory Playbook I#

Metadata#

Contributors

Roberto Rodriguez @Cyb3rWard0g,Mauricio Velazco @mvelazco

Creation Date

2020/10/22

Modification Date

2020/10/22

Tactics

TA0006,TA0007,TA0008

Techniques

T1110.003,T1558.003,T1135,T1021.006

Tags

None

Dataset Description#

This dataset represents threat actors performing a few techniques in Active Directory to brute force passwords, request Kerberos ticket-granting service (TGS) service tickets from all SPNs, test access to remote network shares, and move laterally over Windows Remote Management (WinRM).

Simulation Metadata#

Tools#

type

Name

Module

Manual

Cmd

Cmd

Adversary View#

c:\Users\pgustavo\Downloads>PurpleSharp.exe /t T1110.003,T1558.003,T1135,T1021.006
10/22/2020 04:29:52 [*]  Starting T1110.003 Simulation on WORKSTATION5
10/22/2020 04:29:52 [*]  Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:52 [*]  Local Domain Brute Force using the LogonUser Win32 API function
[*] Targeting domain neighbor users
[*] Using LogonServer MORDORDC.theshire.local for LDAP queries
[*] Querying for active domain users with badPwdCount <= 3..
10/22/2020 04:29:53 [*]  Obtained 7 user accounts
10/22/2020 04:29:53 [*]  Tried to authenticate as lrodriguez (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as pgustavo (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as sysmonsvc (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as sbeavers (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as mscott (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as pbeesly (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Tried to authenticate as nxlogsvc (NTLM). Error Code:1326
10/22/2020 04:29:53 [*]  Simulation Finished
10/22/2020 04:29:53 [*]  Starting T1558.003 Simulation on WORKSTATION5
10/22/2020 04:29:53 [*]  Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Sysmon/theshire.local (sysmonsvc)
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Nxlog/theshire.local (nxlogsvc)
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Defense/theshire.local (defensesvc)
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN OTR/theshire.local (otrsvc)
10/22/2020 04:29:54 [*]  Obtained service ticket and hash for SPN Ring/theshire.local (mordorsvc)
10/22/2020 04:29:54 [*]  Simulation Finished
10/22/2020 04:29:54 [*]  Starting T1135 Simulation on WORKSTATION5
10/22/2020 04:29:54 [*]  Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Using the Win32 API NetShareEnum function to execute this technique
[*] Obtaining domain neighbor targets ...
[*] Using MORDORDC.theshire.local for LDAP queries
10/22/2020 04:29:54 [*]  Obtained 4 target computers
10/22/2020 04:29:54 [*]  Successfully enumerated shares on WEC.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Successfully enumerated shares on WORKSTATION6.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Successfully enumerated shares on MORDORDC.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Successfully enumerated shares on WORKSTATION7.theshire.local as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Simulation Finished
10/22/2020 04:29:54 [*]  Starting T1021.006 Simulation on WORKSTATION5
10/22/2020 04:29:54 [*]  Simulator running from c:\Users\pgustavo\Downloads\PurpleSharp.exe with PID:7520 as THESHIRE\pgustavo
10/22/2020 04:29:54 [*]  Using the System.Management.Automation .NET namespace to execute this technique
10/22/2020 04:29:54 [*]  Querying LDAP for random targets...
[*] Obtaining domain neighbor targets ...
[*] Using MORDORDC.theshire.local for LDAP queries
10/22/2020 04:29:54 [*]  Obtained 4 target computers
10/22/2020 04:29:59 [*]  Started a process using WinRM on WORKSTATION7
10/22/2020 04:30:00 [*]  Started a process using WinRM on WEC
10/22/2020 04:30:00 [*]  Started a process using WinRM on WORKSTATION6
10/22/2020 04:30:01 [*]  Started a process using WinRM on MORDORDC
10/22/2020 04:30:01 [*]  Simulation Finished
10/22/2020 04:30:01 [*]  Playbook Finished

c:\Users\pgustavo\Downloads>

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/purplesharp_ad_playbook_I.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.groupby(['Channel']).size().sort_values(ascending=False)