Seatbelt Group User Discovery

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/11/02

Modification Date

2020/11/02

Tactics

TA0007

Techniques

T1012

Tags

None

Dataset Description

This dataset represents a threat actor using Seatbelt profiling an endpoint. This specifically uses the -group=user command.

Simulation Metadata

Tools

type

Name

Module

Manual

Cmd

Cmd

Adversary View

C:\Users\wardog\Desktop>Seatbelt.exe -group=user

                        %&&@@@&&
                        &&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%
                        &%&   %&%%                        &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
%%%%%%%%%%%######%%%#%%####%  &%%**#                      @////(((&%%%%%%######################(((((((((((((((((((
#%#%%%%%%%#######%#%%#######  %&%,,,,,,,,,,,,,,,,         @////(((&%%%%%#%#####################(((((((((((((((((((
#%#%%%%%%#####%%#%#%%#######  %%%,,,,,,  ,,.   ,,         @////(((&%%%%%%%######################(#(((#(#((((((((((
#####%%%####################  &%%......  ...   ..         @////(((&%%%%%%%###############%######((#(#(####((((((((
#######%##########%#########  %%%......  ...   ..         @////(((&%%%%%#########################(#(#######((#####
###%##%%####################  &%%...............          @////(((&%%%%%%%%##############%#######(#########((#####
#####%######################  %%%..                       @////(((&%%%%%%%################
                        &%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*
                        &%%&&&%%%%%        v1.1.0         ,(((&%%%%%%%%%%%%%%%%%,
                        #%%%%##,


====== ChromePresence ======

  C:\Users\wardog\AppData\Local\Google\Chrome\User Data\Default\

    'History'     (11/2/2020 4:25:44 PM)  :  Run the 'ChromeHistory' command
    'Cookies'     (11/2/2020 4:25:45 PM)  :  Run SharpDPAPI/SharpChrome or the Mimikatz "dpapi::chrome" module
    'Login Data'  (11/2/2020 4:25:44 PM)  :  Run SharpDPAPI/SharpChrome or the Mimikatz "dpapi::chrome" module
    Chrome Version                       :  86.0.4240.183
        Version is 80+, new DPAPI scheme must be used
====== CloudCredentials ======

====== CredEnum ======

  Target              : XboxLive
  UserName            :
  Password            : 45 43 53 32 20 00 00 00 11 F5 17 F2 CA 4E 24 26 0A 61 2C 8B E6 3A 3C 99 9A 09 88 A1 BE 7B BA 72 07 8A 5D CD A1 B3 A4 18 60 38 AD 4B 6D 40 5C 05 68 C3 A6 C8 51 C0 98 7C CB 3C DA AA 65 88 E6 B8 C0 93 BA FE 21 E5 34 7B A0 A9 F2 4B EF 09 D1 1E AE 10 AD 98 E7 AE C6 9B 27 D2 CF 50 39 CC 97 78 E9 0D 82 E3 1B 11 4C 90
  CredentialType      : Generic
  PersistenceType     : Session
  LastWriteTime       : 10/29/2020 5:51:36 PM

  Target              : threathunterplaybook.com
  UserName            : wardog
  Password            :
  CredentialType      : DomainPassword
  PersistenceType     : Enterprise
  LastWriteTime       : 10/28/2020 7:13:44 PM

====== dir ======

  LastAccess LastWrite  Size      Path

  20-09-07   20-09-07   0B        C:\Users\Default\Documents\My Music\
  20-09-07   20-09-07   0B        C:\Users\Default\Documents\My Pictures\
  20-09-07   20-09-07   0B        C:\Users\Default\Documents\My Videos\
  20-10-26   20-11-02   1.7KB     C:\Users\Public\Desktop\Git Bash.lnk
  20-11-02   20-11-02   2.2KB     C:\Users\Public\Desktop\Google Chrome.lnk
  20-10-08   20-10-28   0B        C:\Users\Public\Documents\Explorer Suite Signatures\
  20-09-07   20-09-07   0B        C:\Users\Public\Documents\My Music\
  20-09-07   20-09-07   0B        C:\Users\Public\Documents\My Pictures\
  20-09-07   20-09-07   0B        C:\Users\Public\Documents\My Videos\
  20-10-25   20-11-02   0B        C:\Users\wardog\Desktop\capa-v1.4.1-windows\
  20-10-18   20-11-02   0B        C:\Users\wardog\Desktop\Dumpert-master\
  20-10-13   20-11-02   0B        C:\Users\wardog\Desktop\GruntDLL\
  20-10-25   20-11-02   0B        C:\Users\wardog\Desktop\mimikatz_trunk\
  20-10-29   20-11-02   0B        C:\Users\wardog\Desktop\SharpView-master\
  20-10-09   20-11-02   0B        C:\Users\wardog\Desktop\SimpleInjection\
  20-10-13   20-11-02   0B        C:\Users\wardog\Desktop\SimpleInjection 2\
  20-10-23   20-10-23   1.9KB     C:\Users\wardog\Desktop\0001.dat
  20-10-18   20-10-18   81.2KB    C:\Users\wardog\Desktop\Dumpert-master.zip
  20-10-13   20-10-13   8.4MB     C:\Users\wardog\Desktop\GruntDLL.zip
  20-10-13   20-10-13   42.1KB    C:\Users\wardog\Desktop\GruntHTTP.bin
  20-10-21   20-11-02   392.9MB   C:\Users\wardog\Desktop\igfx_win10_100.8853.exe
  20-10-08   20-11-02   1.4KB     C:\Users\wardog\Desktop\Microsoft Edge.lnk
  20-10-25   20-11-02   1.2MB     C:\Users\wardog\Desktop\mimikatz.exe
  20-10-27   20-10-29   33B       C:\Users\wardog\Desktop\my_first_rule
  20-10-18   20-11-02   74KB      C:\Users\wardog\Desktop\Outflank-Dumpert.exe
  20-10-28   20-10-29   1.8KB     C:\Users\wardog\Desktop\potential_process_herpaderping.yara
  20-10-27   20-11-02   1.9KB     C:\Users\wardog\Desktop\Process Hacker 2.lnk
  20-10-26   20-11-02   2.1MB     C:\Users\wardog\Desktop\ProcessHerpaderping.exe
  20-10-27   20-10-27   1.6KB     C:\Users\wardog\Desktop\ProcessHerpaderping.exe.colors
  20-10-27   20-10-27   15.7MB    C:\Users\wardog\Desktop\ProcessHerpaderping.exe.viv
  20-10-23   20-11-02   266.5KB   C:\Users\wardog\Desktop\PurpleSharp.exe
  20-10-21   20-11-02   505.5KB   C:\Users\wardog\Desktop\Seatbelt.exe
  20-10-29   20-10-29   651.3KB   C:\Users\wardog\Desktop\SharpView-master.zip
  20-10-13   20-10-13   1.4MB     C:\Users\wardog\Desktop\SimpleInjection 2.zip
  20-10-16   20-10-23   53KB      C:\Users\wardog\Desktop\SimpleInjection.dll
  20-10-08   20-10-08   22.8MB    C:\Users\wardog\Desktop\SimpleInjection.zip
  20-10-17   20-10-17   15.2KB    C:\Users\wardog\Desktop\sysmon.xml
  20-10-09   20-10-27   209.5KB   C:\Users\wardog\Desktop\test.dll
  20-10-27   20-10-27   1.1KB     C:\Users\wardog\Desktop\test.dll.colors
  20-10-10   20-10-10   208.2KB   C:\Users\wardog\Desktop\test.json
  20-10-09   20-10-12   88.5KB    C:\Users\wardog\Desktop\test2.dll
  20-10-27   20-11-02   2.1MB     C:\Users\wardog\Desktop\yara64.exe
  20-10-27   20-11-02   2MB       C:\Users\wardog\Desktop\yarac64.exe
  20-10-26   20-11-02   0B        C:\Users\wardog\Documents\herpaderping\
  20-10-18   20-10-28   0B        C:\Users\wardog\Documents\LocaleMetaData\
  20-10-08   20-10-08   0B        C:\Users\wardog\Documents\My Music\
  20-10-08   20-10-08   0B        C:\Users\wardog\Documents\My Pictures\
  20-10-08   20-10-08   0B        C:\Users\wardog\Documents\My Videos\
  20-10-18   20-10-28   0B        C:\Users\wardog\Documents\Raccine(1)\
  20-11-02   20-11-02   0B        C:\Users\wardog\Documents\Set-AuditRule-master\
  20-10-08   20-10-28   0B        C:\Users\wardog\Documents\TagsRevisited\
  20-10-08   20-10-30   0B        C:\Users\wardog\Documents\Visual Studio 2019\
  20-10-17   20-10-28   0B        C:\Users\wardog\Documents\WindowsPowerShell\
  20-10-08   20-10-08   8.4MB     C:\Users\wardog\Documents\GruntDLL.zip
  20-10-21   20-11-02   8.1KB     C:\Users\wardog\Documents\Mordor-WinEvents.psm1
  20-11-02   20-11-02   208.2KB   C:\Users\wardog\Documents\psh_powershell_httplistener_2020-11-0204130683.json
  20-10-29   20-10-29   3.4MB     C:\Users\wardog\Documents\psh_python_webserver_2020-10-2900161507.json
  20-10-28   20-10-28   208.9KB   C:\Users\wardog\Documents\psh_web_credentials_2020-10-2819191483.json
  20-10-18   20-10-18   283.3KB   C:\Users\wardog\Documents\Raccine(1).zip
  20-11-02   20-11-02   879.8KB   C:\Users\wardog\Documents\Set-AuditRule-master.zip
  20-10-20   20-10-21   10.3KB    C:\Users\wardog\Documents\Set-AuditRule.ps1
  20-10-16   20-10-16   2.3KB     C:\Users\wardog\Documents\Start-EtwTrace.ps1
  20-10-16   20-10-16   47.4KB    C:\Users\wardog\Documents\TLGMetadataParser.ps1
  20-10-16   20-10-16   47.4KB    C:\Users\wardog\Documents\TLGMetadataParser.psm1
  20-10-27   20-10-27   6.6KB     C:\Users\wardog\Documents\udl-yara.xml
  20-10-27   20-10-27   6KB       C:\Users\wardog\Documents\YARA.xml
  20-10-10   20-10-28   0B        C:\Users\wardog\Downloads\evtx_dump-0.6.8-x86_64-pc-windows-msvc.tar\
  20-10-10   20-10-28   0B        C:\Users\wardog\Downloads\fd-v8.1.1-x86_64-pc-windows-msvc\
  20-10-08   20-11-02   0B        C:\Users\wardog\Downloads\Koppeling-master\
  20-10-27   20-10-28   0B        C:\Users\wardog\Downloads\OpenJDK11U-jdk_x64_windows_hotspot_11.0.9_11\
  20-10-19   20-10-28   0B        C:\Users\wardog\Downloads\PSTools\
  20-10-09   20-10-28   0B        C:\Users\wardog\Downloads\Sysmon\
  20-10-27   20-10-28   0B        C:\Users\wardog\Downloads\yara-v4.0.2-1347-win64\
  20-10-25   20-10-25   11.1MB    C:\Users\wardog\Downloads\capa-v1.4.1-windows.zip
  20-10-10   20-10-10   1.2MB     C:\Users\wardog\Downloads\evtx_dump-0.6.8-x86_64-pc-windows-msvc.tar.gz
  20-10-10   20-10-10   898.4KB   C:\Users\wardog\Downloads\fd-v8.1.1-x86_64-pc-windows-msvc.zip
  20-10-27   20-10-27   67.5MB    C:\Users\wardog\Downloads\ghidra-Ghidra_9.1.2_build.zip
  20-10-08   20-10-08   36.3KB    C:\Users\wardog\Downloads\Koppeling-master.zip
  20-10-25   20-10-25   1.1MB     C:\Users\wardog\Downloads\mimikatz_trunk.zip
  20-10-27   20-10-27   186.7MB   C:\Users\wardog\Downloads\OpenJDK11U-jdk_x64_windows_hotspot_11.0.9_11.zip
  20-10-19   20-10-19   3MB       C:\Users\wardog\Downloads\PSTools.zip
  20-10-09   20-10-09   1.8MB     C:\Users\wardog\Downloads\Sysmon.zip
  20-10-27   20-10-27   2MB       C:\Users\wardog\Downloads\yara-v4.0.2-1347-win64.zip
====== DpapiMasterKeys ======

  Folder : C:\Users\wardog\AppData\Roaming\Microsoft\Protect\S-1-5-21-3940915590-64593676-1414006259-500

    LastAccessed              LastModified              FileName
    ------------              ------------              --------
    10/18/2020 3:41:37 AM     10/18/2020 3:41:37 AM     ad27dbc8-def4-4b0d-bfbd-89b429dfe9fe


  [*] Use the Mimikatz "dpapi::masterkey" module with appropriate arguments (/pvk or /rpc) to decrypt
  [*] You can also extract many DPAPI masterkeys from memory with the Mimikatz "sekurlsa::dpapi" module
  [*] You can also use SharpDPAPI for masterkey retrieval.
====== ExplorerMRUs ======

  Explorer  BUILTIN\Administrators  2020-11-02  C:\Users\wardog\Documents\cmd_psexec_lsa_secrets_dump_2020-10-2001090629.json
  Explorer  BUILTIN\Administrators  2020-11-02  C:\Users\wardog\Documents\AMSITLGTrace.evtx
  Explorer  BUILTIN\Administrators  2020-11-02  C:\Windows\System32\amsi.dll
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Documents\Mordor-WinEvents.psm1
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Documents\MordorDataset.json
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Documents\mordor_raccine_simulation_mode_2020-10-18T05154752.evtx
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Downloads\Koppeling-master\Koppeling-master
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Downloads\Koppeling-master\Koppeling-master\Koppeling.sln
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Desktop\LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Windows\System32\winevt\Logs
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Desktop\GruntDLL\GruntDLL\GruntDLL.sln
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Documents\Export-WinEvents.ps1
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\export.evtx
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Downloads\ghidra-Ghidra_9.1.2_build\ghidra-Ghidra_9.1.2_build
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Desktop\GruntDLL\GruntDLL
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Desktop\GruntDLL.zip
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\export.json
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Documents\Export-EventLogs.ps1
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Desktop\Dumpert-master\Dumpert-master\Dumpert
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Desktop
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Downloads\ghidra-Ghidra_9.1.2_build\ghidra-Ghidra_9.1.2_build\DevGuide.md
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Documents\cmd_sam_copy_esentutl_2020-10-1900171197.json
  Explorer  BUILTIN\Administrators  2020-10-30  C:\Users\wardog\Documents\cmd_sam_copy_esentutl_2020-10-1823514110.json
  Explorer  BUILTIN\Administrators  2020-10-29  C:\Users\wardog\Desktop\SharpView-master\SharpView-master
  Explorer  BUILTIN\Administrators  2020-10-29  C:\Users\wardog\Desktop\SharpView-master\SharpView-master\SharpView.sln
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\YARA.xml
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Downloads\yara-v4.0.2-1347-win64.zip
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\wmic_remote_xsl_jscript4.json
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\wmic_remote_xsl_jscript5.json
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\wmic_remote_xsl_jscript3.json
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Desktop\wmic_remote_xsl_jscript2.json
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\wmic_remote_xsl_jscript.json
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\udl-yara.xml
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\TLGMetadataParser.ps1
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\TLGMetadataParser.psm1
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Desktop\test.txt
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\test.json
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\test.ps1
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\test.evtx
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Windows\System32
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Desktop\sysmon.xml
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\Start-EtwTrace.ps1
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Desktop\SimpleInjection 2\SimpleInjection\SimpleInjection.sln
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Desktop\SimpleInjection\SimpleInjection.zip
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Desktop\SimpleInjection 2\SimpleInjection
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Desktop\SimpleInjection 2.zip
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\Set-AuditRule.ps1
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\Security.json
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\raccine_simulation_mode_2020-10-18T05154752.evtx
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\raccine_2020-10-18T04185015.json
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Desktop\potential_process_herpaderping.yara
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Desktop\potential_process_herpaderping.txt
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Desktop\Dumpert-master\Dumpert-master\Dumpert\Outflank-Dumpert.sln
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\out8.evtx
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\out7.evtx
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\out6.evtx
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\out5.evtx
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\out3.evtx
  Explorer  BUILTIN\Administrators  2020-10-28  C:\Users\wardog\Documents\out4.evtx
====== ExplorerRunCommands ======

====== FileZilla ======

====== FirefoxPresence ======

====== IdleTime ======

  CurrentUser : WORKSTATION5\wardog
  Idletime    : 00h:00m:00s:015ms (15 milliseconds)

====== IEFavorites ======

Favorites (wardog):

  http://go.microsoft.com/fwlink/p/?LinkId=255142

====== IETabs ======

====== IEUrls ======

Internet Explorer typed URLs for the last 7 days

====== MappedDrives ======

Mapped Drives (via WMI)

====== MTPuTTY ======

====== OfficeMRUs ======

Enumerating Office most recently used files for the last 7 days

  App       User                     LastAccess    FileName
  ---       ----                     ----------    --------
====== PowerShellHistory ======

====== PuttyHostKeys ======

====== PuttySessions ======

====== RDCManFiles ======

====== RDPSavedConnections ======

====== SecPackageCreds ======

  Version                        : NetNTLMv1
  Hash                           : wardog::WORKSTATION5:99c43e8b88a02e13bae1b088a24d3a90aa64487f8da1e2fd:99c43e8b88a02e13bae1b088a24d3a90aa64487f8da1e2fd:1122334455667788

====== SlackDownloads ======

====== SlackPresence ======

====== SlackWorkspaces ======

====== SuperPutty ======

====== TokenGroups ======

Current Token's Groups

  WORKSTATION5\None                        S-1-5-21-3940915590-64593676-1414006259-513
  Everyone                                 S-1-1-0
  NT AUTHORITY\Local account and member of Administrators group S-1-5-114
  BUILTIN\Administrators                   S-1-5-32-544
  BUILTIN\Performance Log Users            S-1-5-32-559
  BUILTIN\Users                            S-1-5-32-545
  BUILTIN\Remote Desktop Users             S-1-5-32-555
  NT AUTHORITY\REMOTE INTERACTIVE LOGON    S-1-5-14
  NT AUTHORITY\INTERACTIVE                 S-1-5-4
  NT AUTHORITY\Authenticated Users         S-1-5-11
  NT AUTHORITY\This Organization           S-1-5-15
  NT AUTHORITY\Local account               S-1-5-113
  LOCAL                                    S-1-2-0
  NT AUTHORITY\NTLM Authentication         S-1-5-64-10
====== WindowsCredentialFiles ======

  Folder : C:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials

    FileName     : DFBE70A7E5CC19A398EBF1B96859CE5D
    Description  : Local Credential Data
    MasterKey    : 4e3bccc6-a1eb-4076-b723-6456d3dec626
    Accessed     : 11/2/2020 4:39:13 PM
    Modified     : 11/2/2020 4:39:13 PM
    Size         : 11184


  Folder : C:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials

    FileName     : DFBE70A7E5CC19A398EBF1B96859CE5D
    Description  : Local Credential Data
    MasterKey    : 4e3bccc6-a1eb-4076-b723-6456d3dec626
    Accessed     : 11/2/2020 4:39:13 PM
    Modified     : 11/2/2020 4:39:13 PM
    Size         : 11184


  Folder : C:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Credentials

    FileName     : DFBE70A7E5CC19A398EBF1B96859CE5D
    Description  : Local Credential Data
    MasterKey    : 4e3bccc6-a1eb-4076-b723-6456d3dec626
    Accessed     : 11/2/2020 4:39:13 PM
    Modified     : 11/2/2020 4:39:13 PM
    Size         : 11184


  Folder : C:\Users\wardog\AppData\Local\Microsoft\Credentials\

    FileName     : DFBE70A7E5CC19A398EBF1B96859CE5D
    Description  : Local Credential Data
    MasterKey    : ad27dbc8-def4-4b0d-bfbd-89b429dfe9fe
    Accessed     : 11/2/2020 4:39:13 PM
    Modified     : 11/2/2020 4:39:13 PM
    Size         : 11184


  Folder : C:\Users\wardog\AppData\Roaming\Microsoft\Credentials\

    FileName     : 38924BBFD1C490D90FFE70EECB3A3739
    Description  : Enterprise Credential Data
    MasterKey    : ad27dbc8-def4-4b0d-bfbd-89b429dfe9fe
    Accessed     : 11/2/2020 4:39:13 PM
    Modified     : 11/2/2020 4:39:13 PM
    Size         : 474


====== WindowsVault ======


  Vault GUID     : 4bf4c442-9b8a-41a0-b380-dd4a704ddb28
  Vault Type     : Web Credentials
  Item count     : 1
      SchemaGuid   : 3ccd5499-87a8-4b10-a215-608888dd3b55
      Resource     : String: http://ossemproject.com
      Identity     : String: pgustavo
      PackageSid   : (null)
      Credential   : String: Pass@Word
      LastModified : 10/28/2020 11:18:10 PM

  Vault GUID     : 77bc582b-f0a6-4e15-4e80-61736b6f3b29
  Vault Type     : Windows Credentials
  Item count     : 1
      SchemaGuid   : 3e0e35be-1b77-43e7-b873-aed901b6275b
      Resource     : String: Domain:target=threathunterplaybook.com
      Identity     : String: wardog
      PackageSid   : (null)
      Credential   :
      LastModified : 10/28/2020 11:13:44 PM


[*] Completed collection in 1.834 seconds

C:\Users\wardog\Desktop> 

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/discovery/host/cmd_seatbelt_group_user.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)