Create T1003.005.yaml (#1780)
* Create T1003.005.yaml * Update T1003.005.yaml Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
IntelScott
@@ -0,0 +1,17 @@
|
||||
attack_technique: T1003.005
|
||||
display_name: 'OS Credential Dumping: Cached Domain Credentials'
|
||||
atomic_tests:
|
||||
- name: Cached Credential Dump via Cmdkey
|
||||
description: |
|
||||
List credentials currently stored on the host via the built-in Windows utility cmdkey.exe
|
||||
Credentials listed with Cmdkey only pertain to the current user
|
||||
Passwords will not be displayed once they are stored
|
||||
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
|
||||
https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
- name: command_prompt
|
||||
elevation_required: false
|
||||
command: |
|
||||
cmdkey /list
|
||||
Reference in New Issue
Block a user