diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 1655812f..b7015abc 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -90185,9 +90185,9 @@ credential-access: - description: 'Google Chrome must be on the device. ' - prereq_command: '''if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") + prereq_command: 'if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) - {exit 0} else {exit 1}'' + {exit 0} else {exit 1} ' get_prereq_command: | @@ -98059,8 +98059,8 @@ discovery: command: | net localgroup net group /domain - net group "domain admins" /domain net group "enterprise admins" /domain + net group "domain admins" /domain name: command_prompt - name: Permission Groups Discovery PowerShell (Domain) auto_generated_guid: 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 @@ -98073,7 +98073,7 @@ discovery: user: description: User to identify what groups a user is a member of type: string - default: administrator + default: "$env:USERNAME" executor: command: 'get-ADPrincipalGroupMembership #{user} | select name @@ -98088,10 +98088,10 @@ discovery: - windows executor: command: | - net group /domai "Domain Admins" net groups "Account Operators" /doma net groups "Exchange Organization Management" /doma net group "BUILTIN\Backup Operators" /doma + net group /domai "Domain Admins" name: command_prompt - name: Find machines where user has local admin access (PowerView) auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1 diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index 4c1822d5..45c10cf4 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -77419,9 +77419,9 @@ credential-access: - description: 'Google Chrome must be on the device. ' - prereq_command: '''if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") + prereq_command: 'if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) - {exit 0} else {exit 1}'' + {exit 0} else {exit 1} ' get_prereq_command: | @@ -84323,8 +84323,8 @@ discovery: command: | net localgroup net group /domain - net group "domain admins" /domain net group "enterprise admins" /domain + net group "domain admins" /domain name: command_prompt - name: Permission Groups Discovery PowerShell (Domain) auto_generated_guid: 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 @@ -84337,7 +84337,7 @@ discovery: user: description: User to identify what groups a user is a member of type: string - default: administrator + default: "$env:USERNAME" executor: command: 'get-ADPrincipalGroupMembership #{user} | select name @@ -84352,10 +84352,10 @@ discovery: - windows executor: command: | - net group /domai "Domain Admins" net groups "Account Operators" /doma net groups "Exchange Organization Management" /doma net group "BUILTIN\Backup Operators" /doma + net group /domai "Domain Admins" name: command_prompt - name: Find machines where user has local admin access (PowerView) auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1 diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md index c30d0bfc..1f10eab6 100644 --- a/atomics/T1069.002/T1069.002.md +++ b/atomics/T1069.002/T1069.002.md @@ -59,8 +59,8 @@ information will be displayed. ```cmd net localgroup net group /domain -net group "domain admins" /domain net group "enterprise admins" /domain +net group "domain admins" /domain ``` @@ -87,7 +87,7 @@ information will be displayed. #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| user | User to identify what groups a user is a member of | string | administrator| +| user | User to identify what groups a user is a member of | string | $env:USERNAME| #### Attack Commands: Run with `powershell`! @@ -123,10 +123,10 @@ test will display some errors if run on a computer not connected to a domain. Up ```cmd -net group /domai "Domain Admins" net groups "Account Operators" /doma net groups "Exchange Organization Management" /doma net group "BUILTIN\Backup Operators" /doma +net group /domai "Domain Admins" ``` diff --git a/atomics/T1555.003/T1555.003.md b/atomics/T1555.003/T1555.003.md index 3be5a7e5..bb9e654c 100644 --- a/atomics/T1555.003/T1555.003.md +++ b/atomics/T1555.003/T1555.003.md @@ -3,7 +3,7 @@
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers. For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key.(Citation: Microsoft CryptUnprotectData April 2018) - + Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004). Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)