Seatbelt Group User Discovery
Contents
Seatbelt Group User Discovery#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/11/02 |
Modification Date |
2020/11/02 |
Tactics |
|
Techniques |
|
Tags |
None |
Dataset Description#
This dataset represents a threat actor using Seatbelt profiling an endpoint. This specifically uses the -group=user command.
Datasets Downloads#
Type |
Link |
|---|---|
Host |
Adversary View#
C:\Users\wardog\Desktop>Seatbelt.exe -group=user
%&&@@@&&
&&&&&&&%%%, #&&@@@@@@%%%%%%###############%
&%& %&%% &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
%%%%%%%%%%%######%%%#%%####% &%%**# @////(((&%%%%%%######################(((((((((((((((((((
#%#%%%%%%%#######%#%%####### %&%,,,,,,,,,,,,,,,, @////(((&%%%%%#%#####################(((((((((((((((((((
#%#%%%%%%#####%%#%#%%####### %%%,,,,,, ,,. ,, @////(((&%%%%%%%######################(#(((#(#((((((((((
#####%%%#################### &%%...... ... .. @////(((&%%%%%%%###############%######((#(#(####((((((((
#######%##########%######### %%%...... ... .. @////(((&%%%%%#########################(#(#######((#####
###%##%%#################### &%%............... @////(((&%%%%%%%%##############%#######(#########((#####
#####%###################### %%%.. @////(((&%%%%%%%################
&%& %%%%% Seatbelt %////(((&%%%%%%%%#############*
&%%&&&%%%%% v1.1.0 ,(((&%%%%%%%%%%%%%%%%%,
#%%%%##,
====== ChromePresence ======
C:\Users\wardog\AppData\Local\Google\Chrome\User Data\Default\
'History' (11/2/2020 4:25:44 PM) : Run the 'ChromeHistory' command
'Cookies' (11/2/2020 4:25:45 PM) : Run SharpDPAPI/SharpChrome or the Mimikatz "dpapi::chrome" module
'Login Data' (11/2/2020 4:25:44 PM) : Run SharpDPAPI/SharpChrome or the Mimikatz "dpapi::chrome" module
Chrome Version : 86.0.4240.183
Version is 80+, new DPAPI scheme must be used
====== CloudCredentials ======
====== CredEnum ======
Target : XboxLive
UserName :
Password : 45 43 53 32 20 00 00 00 11 F5 17 F2 CA 4E 24 26 0A 61 2C 8B E6 3A 3C 99 9A 09 88 A1 BE 7B BA 72 07 8A 5D CD A1 B3 A4 18 60 38 AD 4B 6D 40 5C 05 68 C3 A6 C8 51 C0 98 7C CB 3C DA AA 65 88 E6 B8 C0 93 BA FE 21 E5 34 7B A0 A9 F2 4B EF 09 D1 1E AE 10 AD 98 E7 AE C6 9B 27 D2 CF 50 39 CC 97 78 E9 0D 82 E3 1B 11 4C 90
CredentialType : Generic
PersistenceType : Session
LastWriteTime : 10/29/2020 5:51:36 PM
Target : threathunterplaybook.com
UserName : wardog
Password :
CredentialType : DomainPassword
PersistenceType : Enterprise
LastWriteTime : 10/28/2020 7:13:44 PM
====== dir ======
LastAccess LastWrite Size Path
20-09-07 20-09-07 0B C:\Users\Default\Documents\My Music\
20-09-07 20-09-07 0B C:\Users\Default\Documents\My Pictures\
20-09-07 20-09-07 0B C:\Users\Default\Documents\My Videos\
20-10-26 20-11-02 1.7KB C:\Users\Public\Desktop\Git Bash.lnk
20-11-02 20-11-02 2.2KB C:\Users\Public\Desktop\Google Chrome.lnk
20-10-08 20-10-28 0B C:\Users\Public\Documents\Explorer Suite Signatures\
20-09-07 20-09-07 0B C:\Users\Public\Documents\My Music\
20-09-07 20-09-07 0B C:\Users\Public\Documents\My Pictures\
20-09-07 20-09-07 0B C:\Users\Public\Documents\My Videos\
20-10-25 20-11-02 0B C:\Users\wardog\Desktop\capa-v1.4.1-windows\
20-10-18 20-11-02 0B C:\Users\wardog\Desktop\Dumpert-master\
20-10-13 20-11-02 0B C:\Users\wardog\Desktop\GruntDLL\
20-10-25 20-11-02 0B C:\Users\wardog\Desktop\mimikatz_trunk\
20-10-29 20-11-02 0B C:\Users\wardog\Desktop\SharpView-master\
20-10-09 20-11-02 0B C:\Users\wardog\Desktop\SimpleInjection\
20-10-13 20-11-02 0B C:\Users\wardog\Desktop\SimpleInjection 2\
20-10-23 20-10-23 1.9KB C:\Users\wardog\Desktop\0001.dat
20-10-18 20-10-18 81.2KB C:\Users\wardog\Desktop\Dumpert-master.zip
20-10-13 20-10-13 8.4MB C:\Users\wardog\Desktop\GruntDLL.zip
20-10-13 20-10-13 42.1KB C:\Users\wardog\Desktop\GruntHTTP.bin
20-10-21 20-11-02 392.9MB C:\Users\wardog\Desktop\igfx_win10_100.8853.exe
20-10-08 20-11-02 1.4KB C:\Users\wardog\Desktop\Microsoft Edge.lnk
20-10-25 20-11-02 1.2MB C:\Users\wardog\Desktop\mimikatz.exe
20-10-27 20-10-29 33B C:\Users\wardog\Desktop\my_first_rule
20-10-18 20-11-02 74KB C:\Users\wardog\Desktop\Outflank-Dumpert.exe
20-10-28 20-10-29 1.8KB C:\Users\wardog\Desktop\potential_process_herpaderping.yara
20-10-27 20-11-02 1.9KB C:\Users\wardog\Desktop\Process Hacker 2.lnk
20-10-26 20-11-02 2.1MB C:\Users\wardog\Desktop\ProcessHerpaderping.exe
20-10-27 20-10-27 1.6KB C:\Users\wardog\Desktop\ProcessHerpaderping.exe.colors
20-10-27 20-10-27 15.7MB C:\Users\wardog\Desktop\ProcessHerpaderping.exe.viv
20-10-23 20-11-02 266.5KB C:\Users\wardog\Desktop\PurpleSharp.exe
20-10-21 20-11-02 505.5KB C:\Users\wardog\Desktop\Seatbelt.exe
20-10-29 20-10-29 651.3KB C:\Users\wardog\Desktop\SharpView-master.zip
20-10-13 20-10-13 1.4MB C:\Users\wardog\Desktop\SimpleInjection 2.zip
20-10-16 20-10-23 53KB C:\Users\wardog\Desktop\SimpleInjection.dll
20-10-08 20-10-08 22.8MB C:\Users\wardog\Desktop\SimpleInjection.zip
20-10-17 20-10-17 15.2KB C:\Users\wardog\Desktop\sysmon.xml
20-10-09 20-10-27 209.5KB C:\Users\wardog\Desktop\test.dll
20-10-27 20-10-27 1.1KB C:\Users\wardog\Desktop\test.dll.colors
20-10-10 20-10-10 208.2KB C:\Users\wardog\Desktop\test.json
20-10-09 20-10-12 88.5KB C:\Users\wardog\Desktop\test2.dll
20-10-27 20-11-02 2.1MB C:\Users\wardog\Desktop\yara64.exe
20-10-27 20-11-02 2MB C:\Users\wardog\Desktop\yarac64.exe
20-10-26 20-11-02 0B C:\Users\wardog\Documents\herpaderping\
20-10-18 20-10-28 0B C:\Users\wardog\Documents\LocaleMetaData\
20-10-08 20-10-08 0B C:\Users\wardog\Documents\My Music\
20-10-08 20-10-08 0B C:\Users\wardog\Documents\My Pictures\
20-10-08 20-10-08 0B C:\Users\wardog\Documents\My Videos\
20-10-18 20-10-28 0B C:\Users\wardog\Documents\Raccine(1)\
20-11-02 20-11-02 0B C:\Users\wardog\Documents\Set-AuditRule-master\
20-10-08 20-10-28 0B C:\Users\wardog\Documents\TagsRevisited\
20-10-08 20-10-30 0B C:\Users\wardog\Documents\Visual Studio 2019\
20-10-17 20-10-28 0B C:\Users\wardog\Documents\WindowsPowerShell\
20-10-08 20-10-08 8.4MB C:\Users\wardog\Documents\GruntDLL.zip
20-10-21 20-11-02 8.1KB C:\Users\wardog\Documents\Mordor-WinEvents.psm1
20-11-02 20-11-02 208.2KB C:\Users\wardog\Documents\psh_powershell_httplistener_2020-11-0204130683.json
20-10-29 20-10-29 3.4MB C:\Users\wardog\Documents\psh_python_webserver_2020-10-2900161507.json
20-10-28 20-10-28 208.9KB C:\Users\wardog\Documents\psh_web_credentials_2020-10-2819191483.json
20-10-18 20-10-18 283.3KB C:\Users\wardog\Documents\Raccine(1).zip
20-11-02 20-11-02 879.8KB C:\Users\wardog\Documents\Set-AuditRule-master.zip
20-10-20 20-10-21 10.3KB C:\Users\wardog\Documents\Set-AuditRule.ps1
20-10-16 20-10-16 2.3KB C:\Users\wardog\Documents\Start-EtwTrace.ps1
20-10-16 20-10-16 47.4KB C:\Users\wardog\Documents\TLGMetadataParser.ps1
20-10-16 20-10-16 47.4KB C:\Users\wardog\Documents\TLGMetadataParser.psm1
20-10-27 20-10-27 6.6KB C:\Users\wardog\Documents\udl-yara.xml
20-10-27 20-10-27 6KB C:\Users\wardog\Documents\YARA.xml
20-10-10 20-10-28 0B C:\Users\wardog\Downloads\evtx_dump-0.6.8-x86_64-pc-windows-msvc.tar\
20-10-10 20-10-28 0B C:\Users\wardog\Downloads\fd-v8.1.1-x86_64-pc-windows-msvc\
20-10-08 20-11-02 0B C:\Users\wardog\Downloads\Koppeling-master\
20-10-27 20-10-28 0B C:\Users\wardog\Downloads\OpenJDK11U-jdk_x64_windows_hotspot_11.0.9_11\
20-10-19 20-10-28 0B C:\Users\wardog\Downloads\PSTools\
20-10-09 20-10-28 0B C:\Users\wardog\Downloads\Sysmon\
20-10-27 20-10-28 0B C:\Users\wardog\Downloads\yara-v4.0.2-1347-win64\
20-10-25 20-10-25 11.1MB C:\Users\wardog\Downloads\capa-v1.4.1-windows.zip
20-10-10 20-10-10 1.2MB C:\Users\wardog\Downloads\evtx_dump-0.6.8-x86_64-pc-windows-msvc.tar.gz
20-10-10 20-10-10 898.4KB C:\Users\wardog\Downloads\fd-v8.1.1-x86_64-pc-windows-msvc.zip
20-10-27 20-10-27 67.5MB C:\Users\wardog\Downloads\ghidra-Ghidra_9.1.2_build.zip
20-10-08 20-10-08 36.3KB C:\Users\wardog\Downloads\Koppeling-master.zip
20-10-25 20-10-25 1.1MB C:\Users\wardog\Downloads\mimikatz_trunk.zip
20-10-27 20-10-27 186.7MB C:\Users\wardog\Downloads\OpenJDK11U-jdk_x64_windows_hotspot_11.0.9_11.zip
20-10-19 20-10-19 3MB C:\Users\wardog\Downloads\PSTools.zip
20-10-09 20-10-09 1.8MB C:\Users\wardog\Downloads\Sysmon.zip
20-10-27 20-10-27 2MB C:\Users\wardog\Downloads\yara-v4.0.2-1347-win64.zip
====== DpapiMasterKeys ======
Folder : C:\Users\wardog\AppData\Roaming\Microsoft\Protect\S-1-5-21-3940915590-64593676-1414006259-500
LastAccessed LastModified FileName
------------ ------------ --------
10/18/2020 3:41:37 AM 10/18/2020 3:41:37 AM ad27dbc8-def4-4b0d-bfbd-89b429dfe9fe
[*] Use the Mimikatz "dpapi::masterkey" module with appropriate arguments (/pvk or /rpc) to decrypt
[*] You can also extract many DPAPI masterkeys from memory with the Mimikatz "sekurlsa::dpapi" module
[*] You can also use SharpDPAPI for masterkey retrieval.
====== ExplorerMRUs ======
Explorer BUILTIN\Administrators 2020-11-02 C:\Users\wardog\Documents\cmd_psexec_lsa_secrets_dump_2020-10-2001090629.json
Explorer BUILTIN\Administrators 2020-11-02 C:\Users\wardog\Documents\AMSITLGTrace.evtx
Explorer BUILTIN\Administrators 2020-11-02 C:\Windows\System32\amsi.dll
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Documents\Mordor-WinEvents.psm1
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Documents\MordorDataset.json
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Documents\mordor_raccine_simulation_mode_2020-10-18T05154752.evtx
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Downloads\Koppeling-master\Koppeling-master
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Downloads\Koppeling-master\Koppeling-master\Koppeling.sln
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Desktop\LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
Explorer BUILTIN\Administrators 2020-10-30 C:\Windows\System32\winevt\Logs
Explorer BUILTIN\Administrators 2020-10-30 C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Desktop\GruntDLL\GruntDLL\GruntDLL.sln
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Documents\Export-WinEvents.ps1
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\export.evtx
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Downloads\ghidra-Ghidra_9.1.2_build\ghidra-Ghidra_9.1.2_build
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Desktop\GruntDLL\GruntDLL
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Desktop\GruntDLL.zip
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\export.json
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Documents\Export-EventLogs.ps1
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Desktop\Dumpert-master\Dumpert-master\Dumpert
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Desktop
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Downloads\ghidra-Ghidra_9.1.2_build\ghidra-Ghidra_9.1.2_build\DevGuide.md
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Documents\cmd_sam_copy_esentutl_2020-10-1900171197.json
Explorer BUILTIN\Administrators 2020-10-30 C:\Users\wardog\Documents\cmd_sam_copy_esentutl_2020-10-1823514110.json
Explorer BUILTIN\Administrators 2020-10-29 C:\Users\wardog\Desktop\SharpView-master\SharpView-master
Explorer BUILTIN\Administrators 2020-10-29 C:\Users\wardog\Desktop\SharpView-master\SharpView-master\SharpView.sln
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\YARA.xml
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Downloads\yara-v4.0.2-1347-win64.zip
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\wmic_remote_xsl_jscript4.json
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\wmic_remote_xsl_jscript5.json
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\wmic_remote_xsl_jscript3.json
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Desktop\wmic_remote_xsl_jscript2.json
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\wmic_remote_xsl_jscript.json
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\udl-yara.xml
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\TLGMetadataParser.ps1
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\TLGMetadataParser.psm1
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Desktop\test.txt
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\test.json
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\test.ps1
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\test.evtx
Explorer BUILTIN\Administrators 2020-10-28 C:\Windows\System32
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Desktop\sysmon.xml
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\Start-EtwTrace.ps1
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Desktop\SimpleInjection 2\SimpleInjection\SimpleInjection.sln
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Desktop\SimpleInjection\SimpleInjection.zip
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Desktop\SimpleInjection 2\SimpleInjection
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Desktop\SimpleInjection 2.zip
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\Set-AuditRule.ps1
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\Security.json
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\raccine_simulation_mode_2020-10-18T05154752.evtx
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\raccine_2020-10-18T04185015.json
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Desktop\potential_process_herpaderping.yara
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Desktop\potential_process_herpaderping.txt
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Desktop\Dumpert-master\Dumpert-master\Dumpert\Outflank-Dumpert.sln
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\out8.evtx
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\out7.evtx
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\out6.evtx
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\out5.evtx
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\out3.evtx
Explorer BUILTIN\Administrators 2020-10-28 C:\Users\wardog\Documents\out4.evtx
====== ExplorerRunCommands ======
====== FileZilla ======
====== FirefoxPresence ======
====== IdleTime ======
CurrentUser : WORKSTATION5\wardog
Idletime : 00h:00m:00s:015ms (15 milliseconds)
====== IEFavorites ======
Favorites (wardog):
http://go.microsoft.com/fwlink/p/?LinkId=255142
====== IETabs ======
====== IEUrls ======
Internet Explorer typed URLs for the last 7 days
====== MappedDrives ======
Mapped Drives (via WMI)
====== MTPuTTY ======
====== OfficeMRUs ======
Enumerating Office most recently used files for the last 7 days
App User LastAccess FileName
--- ---- ---------- --------
====== PowerShellHistory ======
====== PuttyHostKeys ======
====== PuttySessions ======
====== RDCManFiles ======
====== RDPSavedConnections ======
====== SecPackageCreds ======
Version : NetNTLMv1
Hash : wardog::WORKSTATION5:99c43e8b88a02e13bae1b088a24d3a90aa64487f8da1e2fd:99c43e8b88a02e13bae1b088a24d3a90aa64487f8da1e2fd:1122334455667788
====== SlackDownloads ======
====== SlackPresence ======
====== SlackWorkspaces ======
====== SuperPutty ======
====== TokenGroups ======
Current Token's Groups
WORKSTATION5\None S-1-5-21-3940915590-64593676-1414006259-513
Everyone S-1-1-0
NT AUTHORITY\Local account and member of Administrators group S-1-5-114
BUILTIN\Administrators S-1-5-32-544
BUILTIN\Performance Log Users S-1-5-32-559
BUILTIN\Users S-1-5-32-545
BUILTIN\Remote Desktop Users S-1-5-32-555
NT AUTHORITY\REMOTE INTERACTIVE LOGON S-1-5-14
NT AUTHORITY\INTERACTIVE S-1-5-4
NT AUTHORITY\Authenticated Users S-1-5-11
NT AUTHORITY\This Organization S-1-5-15
NT AUTHORITY\Local account S-1-5-113
LOCAL S-1-2-0
NT AUTHORITY\NTLM Authentication S-1-5-64-10
====== WindowsCredentialFiles ======
Folder : C:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials
FileName : DFBE70A7E5CC19A398EBF1B96859CE5D
Description : Local Credential Data
MasterKey : 4e3bccc6-a1eb-4076-b723-6456d3dec626
Accessed : 11/2/2020 4:39:13 PM
Modified : 11/2/2020 4:39:13 PM
Size : 11184
Folder : C:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials
FileName : DFBE70A7E5CC19A398EBF1B96859CE5D
Description : Local Credential Data
MasterKey : 4e3bccc6-a1eb-4076-b723-6456d3dec626
Accessed : 11/2/2020 4:39:13 PM
Modified : 11/2/2020 4:39:13 PM
Size : 11184
Folder : C:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Credentials
FileName : DFBE70A7E5CC19A398EBF1B96859CE5D
Description : Local Credential Data
MasterKey : 4e3bccc6-a1eb-4076-b723-6456d3dec626
Accessed : 11/2/2020 4:39:13 PM
Modified : 11/2/2020 4:39:13 PM
Size : 11184
Folder : C:\Users\wardog\AppData\Local\Microsoft\Credentials\
FileName : DFBE70A7E5CC19A398EBF1B96859CE5D
Description : Local Credential Data
MasterKey : ad27dbc8-def4-4b0d-bfbd-89b429dfe9fe
Accessed : 11/2/2020 4:39:13 PM
Modified : 11/2/2020 4:39:13 PM
Size : 11184
Folder : C:\Users\wardog\AppData\Roaming\Microsoft\Credentials\
FileName : 38924BBFD1C490D90FFE70EECB3A3739
Description : Enterprise Credential Data
MasterKey : ad27dbc8-def4-4b0d-bfbd-89b429dfe9fe
Accessed : 11/2/2020 4:39:13 PM
Modified : 11/2/2020 4:39:13 PM
Size : 474
====== WindowsVault ======
Vault GUID : 4bf4c442-9b8a-41a0-b380-dd4a704ddb28
Vault Type : Web Credentials
Item count : 1
SchemaGuid : 3ccd5499-87a8-4b10-a215-608888dd3b55
Resource : String: http://ossemproject.com
Identity : String: pgustavo
PackageSid : (null)
Credential : String: Pass@Word
LastModified : 10/28/2020 11:18:10 PM
Vault GUID : 77bc582b-f0a6-4e15-4e80-61736b6f3b29
Vault Type : Windows Credentials
Item count : 1
SchemaGuid : 3e0e35be-1b77-43e7-b873-aed901b6275b
Resource : String: Domain:target=threathunterplaybook.com
Identity : String: wardog
PackageSid : (null)
Credential :
LastModified : 10/28/2020 11:13:44 PM
[*] Completed collection in 1.834 seconds
C:\Users\wardog\Desktop>
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/cmd_seatbelt_group_user.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)