security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2018-10-12 00:28:10 +00:00
parent 84677cc45c
commit 664ca4d109
3 changed files with 104 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1003/T1003.md
+96
View File
@@ -147,6 +147,14 @@ Contributors: Vincent Le Toux, Ed Williams, Trustwave, SpiderLabs</blockquote>
- [Atomic Test #4 - Registry dump of SAM, creds, and secrets](#atomic-test-4---registry-dump-of-sam-creds-and-secrets)
- [Atomic Test #5 - Dump LSASS.exe Memory using ProcDump](#atomic-test-5---dump-lsassexe-memory-using-procdump)
- [Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-6---dump-lsassexe-memory-using-windows-task-manager)
- [Atomic Test #7 - Offline Credential Theft With Mimikatz](#atomic-test-7---offline-credential-theft-with-mimikatz)
- [Atomic Test #8 - Dump Active Directory Database with NTDSUtil](#atomic-test-8---dump-active-directory-database-with-ntdsutil)
<br/>
@@ -213,3 +221,91 @@ reg save HKLM\system system
reg save HKLM\security security
```
<br/>
<br/>
## Atomic Test #5 - Dump LSASS.exe Memory using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
#### Run it with `command_prompt`!
```
procdump.exe -accepteula -ma lsass.exe #{output_file}
```
<br/>
<br/>
## Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
**Supported Platforms:** Windows
#### Run it with these steps!
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
<br/>
<br/>
## Atomic Test #7 - Offline Credential Theft With Mimikatz
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
#### Run it with these steps!
1. Open Mimikatz:
Execute `mimikatz` at a command prompt.
2. Select a Memory Dump:
Within the Mimikatz interactive shell, execute `sekurlsa::minidump #{input_file}`
3. Obtain Credentials:
Within the Mimikatz interactive shell, execute `sekurlsa::logonpasswords full`
<br/>
<br/>
## Atomic Test #8 - Dump Active Directory Database with NTDSUtil
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_folder | Path where resulting dump should be placed | Path | C:\Atomic_Red_Team|
#### Run it with `command_prompt`!
```
ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
```
<br/>
atomics/index.md
+4
View File
@@ -421,6 +421,10 @@
- Atomic Test #2: Gsecdump [windows]
- Atomic Test #3: Windows Credential Editor [windows]
- Atomic Test #4: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #5: Dump LSASS.exe Memory using ProcDump [windows]
- Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #7: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows]
- [T1081 Credentials in Files](./T1081/T1081.md)
- Atomic Test #1: Browser and System credentials [macos]
- Atomic Test #2: Extract credentials from files [macos, linux]
atomics/windows-index.md
+4
View File
@@ -284,6 +284,10 @@
- Atomic Test #2: Gsecdump [windows]
- Atomic Test #3: Windows Credential Editor [windows]
- Atomic Test #4: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #5: Dump LSASS.exe Memory using ProcDump [windows]
- Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #7: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows]
- [T1081 Credentials in Files](./T1081/T1081.md)
- Atomic Test #3: Mimikatz & Kittenz [windows]
- Atomic Test #4: Extracting credentials from files [windows]