Mordor 0.0.2

Author: Cyb3rWard0g

CHANGELOG.md

@@ -0,0 +1,110 @@
+# Changelog
+
+## Verion 0.0.2
+----------------------------------
+
+[Full Changelog](https://github.com/Cyb3rWard0g/mordor/compare/0.0.1...0.0.2)
+
+### Fixed:
+**defense evesion**
+
+* Process Injection
+  * Empire PsInject
+
+### Added:
+**Credential Access**
+
+* Credential Dumping
+  * Empire Mimikatz Export Master Key
+  * Empire Mimikatz Extract Tickets
+  * Empire Mimikatz Lsadump
+  * Empire Powerdump
+
+**Defense Evasion**
+
+* Modify Registry
+  * Empire Enable RDP
+  * Empire Wdigest Downgrade
+
+* Process Injection
+  * Empire Dll Injection
+
+* Trusted Developer Utilities
+  * Empire Invoke Msbuild
+
+**Discovery**
+
+* Account Discovery
+  * Empire Fin-LocalAdminAccess
+  * Empire Net User Domain SPecific
+
+* System Network Connections Discovery
+  * Empire Get Session Local
+  * Empire Get Session DC
+
+* System Service Discovery
+  * Empire Net Start
+  * Empire Powerup All Checks
+
+**Execution**
+
+* PowerShell
+  * Empire Invoke Psremoting
+* Service Execution
+  * Empire Invoke Psexec
+* Windows Management Instrumentation
+  * Empire Invoke wmi debugger
+  * Empire wmic add user backdoor
+
+**Lateral Movement**
+
+* Distributed Component Object Model
+  * Empire Invoke DCOM
+* Trusted Developer Utilities
+  * Empire Invoke Msbuild
+* Windows Admin Shares
+  * Empire Infoke Smbexec
+* PowerShell
+  * Empire Invoke Psremoting
+* Service Execution
+  * Empire Invoke Psexec
+* Windows Management Instrumentation
+  * Empire Invoke wmi debugger
+  * Empire wmic add user backdoor
+
+**Persistence**
+
+* Registry Run
+  * Empire Elevated Registry
+* Scheduled Tasks
+  * Empire Elevated Schtasks
+* WMI Event Subscription
+  * Empire Elevated WMI
+
+**Privilege Escalation**
+
+* Access Token Manipulation
+  * Empire Invoke Runas
+* Bypass UAC
+  * Empire Ask
+
+### Updated:
+**Execution**
+
+* Windows Management Instrumentation
+  * Empire Invoke-Wmi
+
+**Credential Access**
+
+* Credential Dumping
+  * Empire Mimikatz logonpasswords
+
+**Discovery**
+
+* Permissions Group Discovery
+  * Empire Net Domain Admins
+
+**Execution**
+
+* Scripting
+  * Empire Launcher Vbs

README.md

@@ -20,47 +20,6 @@ The name **Mordor** comes from the awesome book/film series "[The Lord of the Ri
 * Ingest known bad data samples for training and capture the flag (CTF) events.
 * Learn more about red team simulation exercises and technology such as Kafkacat, Kafka and Jupyter Notebooks.
 
-# Why Mordor?
-
-Think about an attack that you want to test in your lab environment.
-Let's say we want to emulate an adversary using a non-domain-controller-account abusing the use of Active Directory replication services to optain the NTLM hash of user.
-What do we do if we want to automate and expedite the emulation process? Usually the following might happen:
-
-* Google for "DCSync" to look for the right script or red team simulation toolkit/project to execute the attack.
-* Find that it can be done via several programming languages and several tools out there.
-* Pick a "variant". In this case let's say we pick the Invoke-Mimikatz script from Powershell Empire.
-* Test the adversarial technique.
-* Document relevant data sources. At the endpoint level, the main behavior produces specific Windows Security events (Event ID 4662).
-* Consider other variants and try another way to accomplish the main adversarial objective.
-* Test another basic variant via another atomic red teaming toolkit. At the endpoint level, the main behavior produces the same Windows Security events (Events ID 4662).
-* Learn and test new ways to execute the adversarial technique (i.e .NET) and run it again.
-* At the endpoint level, the main behavior produces again the same Windows Security events (Events ID 4662).
-
-In my basic DCSync test I was using a user with replication permissions to initiate an ad replication operation.
-The user name was ``Mmidge``.
-I was getting one of the following events:
-
-<img src="docs/source/_static/event-log-dcsync-one.png" width="500" height="" />
-
-## What is going on here?
-
-Most of the time, depending on the detection goal, it does not matter what tool or programming language I use to emulate the adversarial technique or how many times I execute the attack, I still get the same event logic, pattern or relevant data.
-
-From my basic example, I ask myself these question:
-
-* What is my main goal?
-* Do I want to primarily detect .NET behavior or the behavior of a non-domain-controller account abusing ad replication services?.
-
-Do not get me wrong, the extra context of the execution method or the technique enabler is also valuable.
-However, I believe that we can expedite the emulation of an adversarial technique by giving you the relevant data and pattern directly and go straight to the analysis phase of your threat detection strategy.
-
-## Do I ONLY get the events related to the adversarial techniques?
-
-* You get the potential relevant events and the extra context produced by other security events that get created during the time window of the log collection.
-* This is valuable if you want to explore other ways to enrich your data analytic and use extra context from events from different data sources.
-* For example, you also get events of the command and control communication from the endpoint which can then be mapped to the specific adversarial technique you are analyzing.
-* In addition, depending on the type of dataset you use, you get more context. Learn more about them in our [documentation here](https://mordor.readthedocs.io/en/latest/mordor_categorization.html)
-
 # Getting Started
 
 * Mordor Environments
@@ -100,7 +59,7 @@ There are a few things that we would like to accomplish with this repo as shown
 - [ ] Share Terraform & Packer config files to deploy the same environment in the cloud
 - [ ] Add a Bro sensor
 - [ ] Multiple custom network setup for contributions
-- [ ] Prepare Large Dataset ;)
-- [ ] Logo
+- [X] Prepare Large Dataset ;)
+- [X] Logo
 
 More coming soon...

docs/source/_static/empire_ask.png

@@ -15,23 +15,23 @@ Network Design
     :alt: The Shire Design
     :scale: 35%
 
-+-----------+-------------+---------------+-----------+---------------+---------------+
-| Platform  | Version     | Purpose       | Name      | IP Address    | Main User     |
-+===========+=============+===============+===========+===============+===============+
-| Windows   | Win 2016    | DC            | HFDC1     | 172.18.39.5   | Administrator |
-+-----------+-------------+---------------+-----------+---------------+---------------+
-| Windows   | Win 10      | Client        | HR001     | 172.18.39.106 | nmartha       |
-+-----------+-------------+---------------+-----------+---------------+---------------+
-| Windows   | Win 10      | Client        | IT001     | 172.18.39.105 | pgustavo      |
-+-----------+-------------+---------------+-----------+---------------+---------------+
-| Windows   | Win 10      | Client        | ACCT001   | 172.18.39.100 | lrodriguez    |
-+-----------+-------------+---------------+-----------+---------------+---------------+
-| Windows   | Win 2016    | Win Collector | WECServer | 172.18.39.102 | wecserver     |
-+-----------+-------------+---------------+-----------+---------------+---------------+
-| Linux     | HELK 0.1.7  | Log Collector | helk      | 10.0.10.102   | helk          |
-+-----------+-------------+---------------+-----------+---------------+---------------+
-| Linux     | Kali 2018.4 | Red Team C2   | kali      | 10.0.10.106   | wardog        |
-+-----------+-------------+---------------+-----------+---------------+---------------+
++-----------+-------------+---------------+---------------------+---------------+---------------+
+| Platform  | Version     | Purpose       | FQDN                | IP Address    | Main User     |
++===========+=============+===============+=====================+===============+===============+
+| Windows   | Win 2016    | DC            | HFDC1.shire.com     | 172.18.39.5   | Administrator |
++-----------+-------------+---------------+---------------------+---------------+---------------+
+| Windows   | Win 10      | Client        | HR001.shire.com     | 172.18.39.106 | nmartha       |
++-----------+-------------+---------------+---------------------+---------------+---------------+
+| Windows   | Win 10      | Client        | IT001.shire.com     | 172.18.39.105 | pgustavo      |
++-----------+-------------+---------------+---------------------+---------------+---------------+
+| Windows   | Win 10      | Client        | ACCT001.shire.com   | 172.18.39.100 | lrodriguez    |
++-----------+-------------+---------------+---------------------+---------------+---------------+
+| Windows   | Win 2016    | Log Collector | WECServer.shire.com | 172.18.39.102 | wecserver     |
++-----------+-------------+---------------+---------------------+---------------+---------------+
+| Linux     | HELK 0.1.7  | Data Analysis | helk                | 10.0.10.102   | helk          |
++-----------+-------------+---------------+---------------------+---------------+---------------+
+| Linux     | Kali 2018.4 | Red Team C2   | kali                | 10.0.10.106   | wardog        |
++-----------+-------------+---------------+---------------------+---------------+---------------+
 
 Data Sources Collected
 ######################

docs/source/_static/empire_launcher_vbs.png

@@ -4,6 +4,6 @@ An adversary with enough permissions can abuse active directory services to acce
 
 ## Technique Variations Table
 
-| RT Platform | Network | Dataset | Updated |
-| ----------- | ------- | --------- | ------- |
-| empire |  shire | [empire_dcsync](./empire_dcsync.md) | 2019-03-01174830 |
+| Network | Dataset | Updated |
+| ------- | --------- | ------- |
+| shire | [empire_dcsync](./empire_dcsync.md) | 2019-03-01174830 |

docs/source/network_shire.rst

@@ -1,4 +1,3 @@
-
 # Empire DCSync
 
 An adversary with replication permissions (default in Domain Admins) can use the active directory replication apis to pull the NTLM hash of any user in the network.
@@ -78,7 +77,7 @@ Shire
 | Microsoft-Windows-PowerShell/Operational                           | Microsoft-Windows-PowerShell                              | Executing Pipeline                                     |            2325 |
 | Microsoft-Windows-Bits-Client/Operational                          | Microsoft-Windows-Bits-Client                             | na                                                     |               6 |
 
-## Empire Activity
+## Attacker Activity
 
 ```
 usemodule credentials/mimikatz/dcsync

small_datasets/windows/credential_access/credential_dumping_T1003/credentials_from_ad/README.md

@@ -4,6 +4,8 @@ An adversary can grab credentials from the memory contents of processes such as
 
 ## Technique Variations Table
 
-| RT Platform | Network | Dataset | Updated |
-| ----------- | ------- | --------- | ------- |
-| empire |  shire | [empire_mimikatz_logonpasswords](./empire_mimikatz_logonpasswords.md) | 019-03-19130532 |
+| Network | Dataset | Updated |
+| ------- | --------- | ------- |
+| shire | [empire_mimikatz_logonpasswords](./empire_mimikatz_logonpasswords.md) | 2019-05-18202151 |
+| shire | [empire_mimikatz_extract_tickets](./empire_mimikatz_extract_tickets.md) | 2019-05-18230752 |
+| shire | [empire_mimikatz_export_master_keys](./empire_mimikatz_export_master_key.md) | 2019-05-18235535 |